As organizations push return-to-office (RTO) mandates and chase efficiency, many security teams are quietly accumulating debt they don’t know how to unwind.

In this episode, we are joined by Lea Cure Thorpe and Kayne McGladrey to unpack the less-discussed consequences of recent security decisions: RTO exposure, endpoint blind spots, tooling overload, analyst burnout, and the slow erosion of junior talent (thanks AI).

Rather than going too crazy on hot takes and obvious trends, we focus in on operational reality, business risk, and what security leaders need to confront before these issues compound further.

Where to Skim

• 02:00 – 06:30 | Is the perimeter really dead?
  Challenging the perimeter is gone narrative and why AI hasn’t created new problems, just reprioritized old ones.

• 06:30 – 12:30 | RTO fallout and the return of local network risk
  How return-to-office mandates exposed neglected infrastructure, VPN risk, and why edge devices are back in attackers’ sights.

• 12:30 – 18:30 | Endpoint sprawl, dirty devices, and SOC fatigue
  The reality of unmanaged laptops, log overload, EDR/XDR fatigue, and why more telemetry isn’t the same as better security.

• 18:30 – 26:00 | Cloud tooling, visibility gaps, and false assurances
  Why SOC 2 reports don’t equal real visibility, the limits of cloud logging, and the growing disconnect between control and insight.

• 26:00 – 33:30 | AI adoption: risk appetite vs. reality
  Blocking vs. observing AI use, data leakage concerns, contractual controls, and why AI security is often just relabeled AppSec.

• 33:30 – 41:00 | Identity, agentic AI, and trust amplification risk
  New trust relationships, decision delegation, and why detecting misuse becomes harder.

• 41:00 – 50:30 | Workforce erosion and the efficiency trap
  Junior analyst displacement, automation myths, and why eliminating entry-level roles creates long-term security debt.

• 50:30 – 58:30 | The business math CISOs can’t avoid
  Efficiency vs. productivity, cost centers vs. value creation, and how security leaders need to frame impact in financial terms.

• 58:30 – 1:05:00 | Career development, communication, and relevance
  Why business context matters for analysts, how to avoid irrelevance, and the role of security leaders as translators.

Security debt didn’t disappear

Much of what security teams are struggling with today isn’t new. The rapid shift to remote work, followed by equally some-what rapid return-to-office mandates, forced organizations to make short-term tradeoffs that were never fully unwound. Local network defenses were deprioritized, endpoints became personal devices by default, and VPNs were treated as a sufficient control layer long after that assumption stopped holding.

In many cases this has led to unresolved decisions that now compound each other.

More tools haven’t translated into more clarity

Across endpoints, cloud services, and identity platforms, teams are drowning in telemetry while still lacking confidence in what actually matters. Logging gaps, limited visibility into SaaS platforms, and vendor assurances that replace real monitoring have created an environment where alert volume increases but understanding does not.

Tooling fatigue isn’t about having too many products so much as it’s about losing the thread between signal, context, and action.

Efficiency pressure is reshaping security teams in the wrong direction

As organizations push for efficiency gains, security teams are increasingly evaluated as cost centers rather than risk mitigators. Automation and AI are frequently positioned as ways to eliminate low-level work, but removing junior roles breaks the pipeline that produces senior expertise. And in a world where cybersecurity will never really be entry level, we are creating a scenario for our future selfs.

Short-term efficiency gains may look attractive on a spreadsheet, but they introduce long-term operational and workforce risk that is harder to reverse.

AI is reshaping every corner of security, but every once in a while, a discovery forces us to rethink the boundaries of private communication. This week, we chat about Whisper Leak, a side-channel issue uncovered by Microsoft Threat Intelligence researchers JBO (now at CrowdStrike) and Geoff McDonald. It doesn’t break encryption, but it exposes something defenders often overlook: metadata can be surprisingly revealing.

In this conversation, we explore how Whisper Leak works, why it matters, and how quickly vendors, Microsoft included, moved to reduce real-world risk.

Key Takeaways

• Whisper Leak doesn’t break encryption; it exploits metadata consistency and token timing.

• Topic inference is feasible at scale, especially for well-resourced threat actors.

• Mitigations now exist, and vendors have enabled them by default in most chat interfaces.

• API users must explicitly enable obfuscation, or they’re likely still vulnerable.

• Side-channel thinking needs to become standard practice in AI system design.

• Zero Trust principles apply to AI just as they do to traditional network and app security.

Editor’s note

Hey, we’re not dead, just been super busy. Neal changed jobs and was busy traveling for a couple of months. My role has been slammed supporting a series of events (Black Hat > Ignite) and some other large projects. In fact, you can check one of them here, which offers an inside look at threat intel at Microsoft.

We’ll be back in the new year, but probably not have an every-other-week cadence for a bit. As always, we’re always looking for great stories to tell, so feel free to reach out if you have a pitch (that’s not just about product).

The Problem: Encryption Isn’t the Weak Point, Patterns Are

JBO summarizes the problem simply: even when your AI chat is fully encrypted end-to-end, a threat actor watching network traffic may still infer the topic of your conversation.

Not the words.
Not the content.
Just the topic, but that’s more than enough in the wrong hands.

Think of it like observing two people behind soundproof glass. You can’t hear them, but body language gives away whether they’re arguing, negotiating, or discussing something sensitive. Whisper Leak works the same way, except the gestures are packet sizes and timing intervals.

Two factors make LLMs especially susceptible:

1. Stream ciphers preserve message length

Most LLM interactions use encryption modes where ciphertext size strongly correlates to plaintext size. If a word is five characters, the encrypted packet will be roughly equivalent in size. That correlation becomes a signal.

2. Token streaming leaks timing information

LLMs don’t send full responses, they stream tokens as they’re generated. Those timing intervals create a fingerprint that can be captured and analyzed.

Combine the two, and you have a statistical attack that can classify conversation topics with high accuracy.

This Is a Side-Channel Attack, Not a Cryptographic Failure

One of the first misconceptions JBO clears up: nothing about Whisper Leak breaks TLS, breaks encryption, or defeats modern ciphers.

This is classic side-channel territory just as RF emissions, heat signatures, or power fluctuations have historically been used to infer secrets.

What makes Whisper Leak different is scale. Modern LLMs create massive, predictable volumes of structured, encrypted traffic. Structure is its own vulnerability.

And while most threat actors aren’t about to spin up clusters to train topic-classification models, nation-state actors can. More importantly, anyone could have already captured traffic and analyzed it later, making detection effectively impossible.

As JBO puts it:

“There is no way for anyone to actually know if they were impacted. Someone can sniff your network today, save it, and run the attack offline.”

Mitigations: How Vendors Responded

One reason this research drew attention is that it launched with coordinated, responsible mitigation from major LLM providers—including Microsoft and OpenAI. Mitigations included:

1. Token batching

Sending responses in batches instead of token-by-token reduces timing granularity.

2. Controlled output rates

A leaky bucket style mechanism smooths timing variance.

3. Padding and obfuscation

Vendors added randomized garbage data to break the correlation between plaintext length and ciphertext length.

OpenAI added an obfuscate=true parameter to its API.
Microsoft added an equivalent parameter to Azure OpenAI endpoints.

These changes dramatically reduce classification accuracy without materially degrading performance.

As JBO states:

“We hope that with our paper, it’s going to influence the industry as a whole to think about these ideas proactively.”

Why Zero Trust Still Applies Here

Zero Trust isn’t just about identity, segmentation, and continuous verification. It’s also about understanding assumptions, and Whisper Leak challenges a big one:

Encrypted traffic ≠ private traffic.

Metadata, timing, size patterns: these are routinely overlooked as safe enough. But as AI ecosystems grow, the surface area grows with them. Whisper Leak shows that:

• Privacy depends on the full communication pattern, not just the cipher.

• LLM architectures introduce new observable behaviors.

• Defenders must anticipate issues that emerge from scale, not failure.

This is Zero Trust at its core: treat every layer as untrusted until proven otherwise, including the ones we didn’t previously question.

Want to learn more?

• You can read the full report and access the research behind it here.

• Look for a follow-up conversation with JBO and Geoff on the Microsoft Threat Intelligence Podcast, where Sherrod DeGrippo will dig even deeper.

Imagine this: You’re interviewing a candidate. They answer every question smoothly, with polished examples and well-structured talking points. Or during coding challenges, they pass them with precision and ease. Impressive, right? Except it wasn’t them. Their phone was feeding them real-time AI-generated answers based on screenshots of your own screen or the questions you ask them.

This isn’t hypothetical; it’s here and readily accessible.

Note: This article has no connection to my day job, but rather a series of apps disrupting communities that I have built and maintain, focused on career mentorship.

The New Breed of AI Interview Apps

AI-powered coaching tools aren’t new. Candidates have long used prep platforms, practice quizzes, or even mock interviews with AI bots. But the latest wave of apps doesn’t stop at preparation; they insert themselves into the interview itself.

These apps listen to questions in real time, generate suggested answers, and discreetly deliver them back to the candidate. What used to be an assessment of skill and authenticity risks becoming a test of who’s best at outsourcing their personality to a covert AI prompter.

Where It Crosses the Line

Some apps at least frame themselves as guidance tools. One particular app, Interview Hammer, doesn’t bother. They openly market Stealth Mode, a feature designed to defeat anti-cheating tools in monitored interviews.

From their own promotional video:

• The desktop app hides under a generic system tray icon to avoid suspicion

• It captures screenshots of the monitored interview window

• Those screenshots are instantly transferred to the candidate’s phone

• The AI analyzes the images and feeds back tailored responses in real time

Their own words: “With Interview Hammer’s stealth mode, you get intelligent interview assistance that remains completely undetectable, giving you the confidence to ace any interview.”

This isn’t coaching. This is software built for cheating — full stop.

Astroturfing the Job Market

What makes Interview Hammer particularly problematic goes beyond their product and into their push into communities. More specifically, they are replicating social engineering tactics designed to manipulate people.

As a moderator on several job-seeking communities, I’ve seen firsthand how they operate:

• Astroturfing campaigns: Fake accounts post glowing success stories about how Interview Hammer changed their life. In other attempts, sad stories reflect on the rough job market, and that this particular solution has been helping them through it.

• Sockpuppet networks: Posts get suspiciously juiced with upvotes to trend early.

• Ban evasion: Even after banning the company name, they slip through with variations and fake narratives.

• Bribery attempts: In one case, a representative offered to pay me directly to allow regular promotional posts (see screenshot). Based on the communities where some of these posts remain up, other community managers may have accepted those bribes.

This isn’t organic community engagement, it’s manipulation. They’re playing by the same rules as disinformation campaigns: manufacturing credibility through deception.

Why This Matters Beyond One Company

It’s tempting to laugh this off as a sketchy startup chasing desperate job seekers. But the implications run deeper:

• Trust erosion: If hiring managers can’t rely on interviews, the entire process loses credibility.

• Security risks: These same stealth techniques could be repurposed by malicious actors applying for sensitive roles to slip past hiring filters.

• Collateral damage: In response, companies will likely double down on intrusive surveillance: webcam monitoring, keystroke logging, and even stricter identity verification. And those who will be hurt most will be the honest candidates.

This is how a handful of bad actors can poison the well for everyone.

What Comes Next?

Employers will need to rethink hiring assessments. And for many others, remote interviews may no longer be a viable option. Although there will likely be at least one attempt to use augmented reality glasses to solve for the same issues flagged here.

Work samples, technical challenges, and behavioral testing may become more important than conversational Q&A. Regulators may eventually need to weigh in if such apps are harvesting candidate data under false pretenses.

But in the near term, the lesson is clear:

• If you’re a candidate, don’t be fooled; outsourcing your integrity is not a path to success.

• If you’re an employer, be aware that the interview process is already under attack from AI-driven cheating tools.

Interview prep is fair game. Everyone wants to put their best foot forward. But when an app markets itself as a way to defeat anti-cheating tools and stay completely undetectable, it stops being a tool and becomes a fraud.

At RSAC 2025, early risers were rewarded with strong coffee, realistic opinions, and a panel of cybersecurity leaders who didn’t hold back. Synack hosted its Women in Cyber Breakfast for the fourth year, and this year’s conversation couldn’t have been more timely.

Moderated by best-selling author Nicole Perlroth (This Is How They Tell Me the World Ends)—who just launched her new podcast To Catch a Thief: China’s Rise to Cyber Supremacy—the panel explored what it means to lead in cybersecurity during a time of fast-moving AI adoption, global tensions, and pressure from every angle.

Joining Nicole were:

• Nidhi Luthra, SVP & CISO at Baxter International

• Deneen DeFiore, VP & CISO at United Airlines

• Rebekah Wilke, BISO at Jack Henry

• Melissa Bishop, CISO of Corporate Services at Amazon

On AI and Insider Threats: “It’s not just the phishing…”

Perlroth kicked things off by asking how CISOs are coping with the onslaught of next-gen threats. Melissa Bishop got right to it: AI is supercharging social engineering. “It’s not just better phishing,” she explained. “We’re even seeing candidates use AI to look more qualified on paper, and that opens the door to potential insider threats.”

And yes, that certainly plays into the North Korean IT workers getting placed, but it has broader implications, too.

Bishop also emphasized the importance of data classification. Paraphrasing her words, she said: If AI agents are consuming your information, you’d better know what they’re allowed to touch. We need to think about AI access the way we think about human identity and privilege.

Being asked to do more with less

Several panelists echoed a familiar challenge: more risk, tighter budgets. Nidhi Luthra noted that her team is moving away from “broad controls” and putting more energy into targeted investments that are informed by intel. “It’s more surgical now,” she said. “And we’re being asked to justify it all—with metrics and ROI.”

Deneen DeFiore framed the moment as an opportunity to invest in tech like AI agents, tools that can improve irregular operations, but emphasized it only works if cybersecurity is clearly aligned with the business.

However, it should be noted that no panelists, and really no conversations at RSAC, indicated that to solve these challenges, people should be replaced by AI, agents, or automation. Instead, this technology can help bridge the skill gap for newer talent or help experienced teams move faster. Well, maybe not at RSAC at least.

The Talent Crisis, Personal Liability, and Staying Sane

When Perlroth brought up the elephant in the boardroom, many security leaders felt like they were being asked to function as intelligence agencies, and there were nods all around.

Luthra flagged that it’s not just the stress. She feels like she has figured out how to manage that; however, personal liability is growing as a concern for CISOs. She added that when budgets are cut, training and development are usually the first to go, which makes hiring and retaining talent even harder.

DeFiore shared that everything revolves around safety and risk in aviation, so her team is growing cybersecurity talent through apprenticeships and rotations. “They know what they’re signing up for,” she said. “And we’re building a pipeline instead of only chasing the most experienced.”

Rebekah Wilke pointed out that the need for broader skillsets, rather than narrow domain expertise, is changing how teams operate. “But it does affect how we deliver on outcome-focused strategies,” she cautioned.

AI Governance: AKA the still figuring it out stage

Perlroth turned the conversation back to AI, asking how leaders are setting guardrails. Wilke didn’t sugarcoat it: “AI is moving too fast for governance to keep up. We still don’t know what the real outcomes will be.”

Luthra described internal governance groups that help “slow things down” while the company figures out how and where AI should be integrated, especially in patient-facing services. She also mentioned efforts to hunt for rogue AI usage inside the org to understand what it might be capturing.

Bishop returned to the idea of treating AI agents like privileged identities. “This is a shift,” she said. “You can’t just deploy these tools without thinking about what they’re allowed to access.”

Supply Chain and Shared Risk

Finally, the panel dug into third-party risk, especially in the wake of recent high-profile incidents. Luthra referenced the public response from the CEO of CrowdStrike, praising the transparency and realism: “Humans make mistakes. Resilience is the playbook.”

DeFiore added that third-party risk can never be completely controlled, but understanding shared dependencies, what parts of your business rely on those third parties, is critical. “You’ve got to bake that into your continuity planning.”

The Bottom Line

There was no sugarcoating on this panel, just hard-won insight from people in the trenches. If there was a unifying theme, it was this: Today’s security leaders are under pressure to do more, prove more, and stay ahead of both emerging tech and nation-state threats… all while recruiting a workforce that hasn’t even been fully trained yet.

And somehow, they keep showing up.

Adopting Zero Trust has been on air for four years now, and you may have noticed we have avoided talking about a certain topic: Breaches and incidents. However, today, we tread carefully around that subject, and are fortunate to have an expert handy to guide us through what is inevitably a bumpy topic. Our guest, Ian Bramson, Vice President of Global Industrial Cybersecurity at Black & Veatch, had a frank conversation about asset visibility, the breakdown of IT/OT silos, and the growing call for consequence-driven cyber strategies.

“The only guarantee I can give anyone is that someone’s going to get in at some point.” — Ian Bramson

Editor’s Note

To be clear, the reason why we don’t cover incidents and breaches is that hindsight or external reporting is not beneficial when it’s just commentary. That is why we have avoided this subject in general, but since this is more about defensive measures and continuity, it seemed safe enough.

Also, it’s that wonderful time of year again, RSAC. Neal and I will be floating around there somewhere, and likely recording an episode or two. I’ll primarily be over at the Palace hotel supporting Microsoft Threat Intelligence, and our panel is already booked solid, but you can still try to register here.

Key Takeaways: Preparing Critical Infrastructure for Cyber Incidents

• The cybersecurity conversation has shifted from skepticism (“is this real?”) to urgency (“where do we start?”).

• Asset visibility is foundational: Many organizations still don’t know what’s connected in their OT environments, making risk assessment and response nearly impossible.

• Executive conversations should focus on outcomes, not tools: Speak in terms of safety, uptime, and business continuity, not patching or protocols.

• Risk-based framing unlocks funding: Use consequence-driven models (e.g., bowtie risk diagrams) to illustrate probability vs. impact.

• Bang the risk register until money comes out: Translate cyber issues into operational risks that boards understand.

• IT/OT convergence is real and accelerating: Legacy equipment is being networked, cloud-connected, and exposed in ways it wasn’t designed for.

• Use your own data first: OT systems produce rich operational data that can reveal threats without relying solely on external feeds.

• Don’t show up with just a problem, bring options: Propose solutions in business terms, with a plan and a clear ask.

The Question Has Changed: From ‘Why Cyber?’ to ‘What Now?’

Ian noted a dramatic shift in how critical infrastructure operators are framing cybersecurity. A decade ago, leaders dismissed the risk. Today, they’re asking where to begin.

“I’ve had them look at me and say I was making up cyber to sell them stuff. That was rough. But that’s not the case anymore.”

The first step, Ian says, is helping non-technical stakeholders understand the fundamentals: What do you need to protect? Where are the holes? Executive conversations shouldn’t start with asset inventories—they should start with business risk.

Dollars Follow Risk, Not Scans

It’s no surprise that funding is often the biggest hurdle. Ian emphasized the importance of translating technical findings into operational risk language.

“Bang the risk register until money comes out.”

The key? Frame investments around safety and uptime. Don’t come to the board with a list of CVEs. Come with a risk equation that explains the potential business impact and options to mitigate it.

Threat Intel Isn’t Just Data, It’s Direction

We dove into how threat intelligence can be operationalized, and Ian didn’t hold back.

“Data is not intelligence. You have to synthesize it, pattern it, and make it actionable.”

Teams must shift from firehose mode to focused intelligence gathering. That starts by defining requirements: What do we need to know to keep operations safe? From there, tailor the collection and make it digestible for decision-makers.

The Collapse of IT/OT Distinctions

The boundaries between IT and OT are rapidly disintegrating. From connected turbines to cloud-enabled remote access, industrial environments are more exposed than ever.

“You can have an IT attack with an OT consequence. Think Colonial Pipeline.”

To manage that complexity, Ian advocates for a consequence-driven model. Don’t organize your security response by which network a threat entered on, organize it by the operational impact it can cause.

What’s Driving Change? Pressure, Pivots, and Pragmatism

Whether it’s post-breach wake-up calls or the push to modernize industrial controls, Ian sees more organizations coming to the table earlier, especially during new construction or system overhauls.

“Segmenting a live network is painful. If you build it in, it’s cheaper and better.”

The industry is slowly shifting from bolt-on to built-in security, but legacy systems and cultural gaps still create drag.

Don’t Just Raise the Alarm, Bring a Plan

When it comes to vulnerability management in OT, urgency has to be balanced with availability. And above all, leaders must bring solutions to the table, not just problems.

“Don’t say, ‘Oh my God, what are we going to do?’ Say: ‘Here’s what it means in business terms. Here’s the plan. Here’s what we need.’”

In the battle against cyber threats like Lazer Rhino and Bomb Spider, cyber disruptors have never been more critical. But what if you could experience this fight in a whole new way? Well, hold onto your firewalls, because we're about to change the game.

Introducing Cyber Disruptors, the first-ever collector card game that puts the power of cybersecurity experts, analysts, and researchers directly in your hands! This April 1, we invite you to join the ranks of cybersecurity’s finest as you battle digital threats and show off your knowledge of the latest attack vectors.

How It Works:

Each Cyber Disruptors card features a unique cybersecurity professional, each with their own unique set of skills that can combat the most devious of hackers. Whether you're wielding the strategic genius of CipherStorm, the AI-driven precision of Dorrehs, or the compliance mastery of ShadowByte, you’ll quickly see that these cards are more than just pretty pictures—they're your key to saving the digital world.

Examples of Special Abilities:

• CipherStorm: Cybersecurity Captain—Unleash powerful countermeasures that stop hackers in their tracks with Strategic Command and Critical Analysis powers!

• ShadowByte: Compliance Crusader—Use her Regulatory Shield to block any unauthorized breaches, ensuring your network stays compliant and secure!

• StealthLock: Cyber Sleuth—Track and neutralize threats with precision, using his GhostScan ability to quietly identify vulnerabilities in your opponent’s defenses.

• Dorrehs: AI Defender—Predict and neutralize threats before they even arrive with her Predictive Algorithm and Automated Response abilities.

Build Your Team, Battle Your Friends

Create your own Cyber Disruptor deck and challenge your friends to see who can take down the most threat actors, protect the most data, and outsmart their opponents with their cybersecurity knowledge. Each battle is more than just a test of strength—it's a test of brains!

But, wait... there’s more! We’ve also included a limited-edition Clip… I mean HAL-y card! This wildcard card randomly alters the game rules, forcing players to adapt on the fly. Is it a malicious insider threat? Or maybe it’s a zero-day vulnerability that shifts the balance of power?

Get Your Cards Now!

Cyber Disruptors is available now for preorder—but hurry, because we’re only producing a limited edition for this first round. And if you act fast, we’ll throw in a rare “Phishing Alert” card that forces your opponent to discard one of their most powerful cards. Each deck is only $3.50 (tree-fiddy).

Disclaimer: You should probably look at the publication date of this post.

Catch this episode on YouTube, Apple, Spotify, or Amazon. You can read the show notes here.

Shadow IT has long been a challenge for organizations, with employees adopting unsanctioned applications to boost productivity or occasionally for more personal reasons (like playing games remotely). While businesses have made strides in managing these risks, a new wave of shadow IT has emerged—one powered by generative

This week, we chatted with Bradon Rogers, Island's Chief Customer Officer, to explore how AI is reshaping security challenges and how enterprise browsing solutions are evolving to address them.

Here are the key takeaways from the podcast discussion on shadow AI and enterprise security:

Key Takeaways

• AI is Accelerating Shadow IT Risks

• AI is embedded within approved enterprise applications, making its presence less obvious.

• Some AI-powered tools automatically opt users into data sharing or model training.

• Enterprise data may be cross-contaminated with other customers’ data, raising security and compliance concerns.

• AI-generated derivative data can bypass traditional DLP solutions, making data loss harder to detect.

• Application boundaries prevent corporate data from leaking into personal AI tools.

• Instead of outright blocking AI, companies should guide users toward sanctioned AI environments.

• Transparency is key: employees need clear communication on AI risks and corporate policies.

Editor’s Note

This is your annual notice that we will be at RSAC, and we do plan to record an episode or two if possible. We’ve received a bunch of pitches to meet with guests but have not yet scheduled anything. If you want to record on-site, please be sure to pitch stories instead of people. I am also looking for potential guests for Microsoft’s Threat Intelligence Podcast and possibly another larger one if you have a non-vendor global CISO handy. Slide into my inbox if you have something of interest: elliot @ elliotvolkman[.]com.

Outside of that, swing by the Palace hotel where we’ll be hosting plenty of auxiliary sessions including a threat intel panel on Wednesday morning.

Shadow IT: Then and Now

“It’s like shadows within shadows now… You've got the obvious generative AI destinations like ChatGPT, but then you’ve got other things that are less obvious, where generative AI is built into the application,” said Rogers.

Bradon traced the origins of shadow IT to employees seeking convenient tools that organizations had not yet provided. Early examples included cloud storage solutions like Dropbox, which employees used to bypass outdated or unavailable corporate alternatives. As businesses caught up and introduced secure, sanctioned solutions, traditional shadow IT concerns declined.

However, the rise of generative AI has created a new frontier. Unlike past shadow IT, AI-driven tools are often embedded within applications, making them less obvious. Employees now leverage AI chatbots, automated workflows, and content generators—sometimes unknowingly opting into AI models that use company data for training. This creates unseen vulnerabilities that IT teams must address.

The Challenges of AI-Driven Shadow IT

According to Bradon, AI-powered applications present unique risks, including:

• Embedded AI: Many AI features are baked into existing, approved tools without clear notifications to users.

• Global Data Pools: Enterprise AI models often rely on aggregated data, meaning sensitive information could be exposed beyond an organization's control.

• Derivative Data Risks: AI can transform sensitive data into new formats, making traditional detection methods ineffective.

As AI adoption surges, businesses must implement policies that balance productivity with security. These policies must ensure that data remains protected while enabling employees to use AI responsibly.

“You’ve got end users trying to find cheat codes to do their jobs faster, executives pushing to gain a competitive edge—sometimes without fully understanding the risks—and providers embedding AI into products to stay ahead. That creates a complex security landscape.”

The Role of Enterprise Browsers in Security

One of the key takeaways from the discussion was how enterprise browsers, like those developed by Island, can help mitigate shadow IT risks while enhancing user experience. Bradon emphasized that enterprise browsers create secure environments for accessing corporate applications without sacrificing usability. Key benefits include:

• Application Boundaries: Enterprise browsers define clear lines between corporate and personal apps, preventing unauthorized data movement.

• Zero Trust Network Access (ZTNA): Instead of traditional VPNs, enterprise browsers provide secure, seamless access to internal applications without exposing the broader network.

• Granular Policy Enforcement: Organizations can enforce AI-specific security measures, such as blocking sensitive data uploads to AI tools or directing downloads to secure corporate storage.

A Future-Proof Approach to Security

As AI-driven shadow IT continues to evolve, organizations must adopt security strategies that go beyond simple blocking mechanisms. Enterprise browsers offer a “say yes” approach—allowing employees to leverage innovative tools while maintaining security and compliance. By enforcing contextual policies and ensuring data stays within approved applications, businesses can navigate this new landscape with confidence.

Catch this episode on YouTube, Apple, Spotify, or Amazon. You can read the show notes here.

Live from ThreatLocker’s Zero Trust World (ZTW), cybersecurity heavyweights Dave Bittner, host of CyberWire Daily and Dr. Chase Cunningham AKA Dr. Zero Trust shared their unfiltered thoughts on the state of cybersecurity, AI, and government regulations. From the shifting landscape of compliance enforcement to the role of hitting critical mass of AI in both defense and cybercrime, we can expect an extraordinary level of change in the years ahead.

The TL;DR

Don’t have time to listen to the full episode, even on 2x? Here’s a quick skim of what we cover:

• Cybersecurity and Government Challenges: Panelists discuss the unpredictable nature of cybersecurity policy changes in Washington.

• Regulatory and Compliance Shifts: There is growing momentum toward stricter enforcement, potentially including criminal charges for negligence in cybersecurity, similar to other regulated industries.

• Threat Intelligence and Information Verification: The CyberWire team emphasizes the importance of rigorous verification before reporting cybersecurity news, avoiding rumors and speculation.

• CISA’s Future and Impact: The uncertain future of CISA (Cybersecurity and Infrastructure Security Agency) could have long-term effects on standards, policies, and cybersecurity procedures.

• AI and Cybersecurity: Panelists debate whether AI, particularly LLMs, has reached critical mass and how AI is being used in cybersecurity, both for defense and by threat actors.

• Challenges of AI Regulation: There are concerns that AI governance, especially in the U.S. and Europe, is struggling to keep pace with technological developments.

Producer’s Note

This episode will have a bit of background noise as we were recording in the expo area, so fair warning. That said, huge shoutout to ThreatLocker for having us out to experience Zero Trust World. They absolutely put on an amazing show, and this is coming from someone who has created similar conferences from scratch. If you didn’t get a chance to attend this year, we can certainly recommend going in 2026.

Cybersecurity Chaos and Government Uncertainty

We kicked off the discussion by highlighting how political turbulence in Washington, D.C., is impacting cybersecurity policies.

“The unpredictability of things happening in ways we haven’t seen before is the biggest disruptor this year,” Dave noted, emphasizing the challenges posed by leadership changes and regulatory instability.

Chase didn’t hold back either, expressing concerns about unqualified appointments in key government cybersecurity roles.

Regulations with Real Consequences?

One of the most thought-provoking discussions revolved around compliance and enforcement. Historically, violations in cybersecurity regulations have led to fines, but Chase believes a shift is coming. “The cost of doing business might include some shiny bracelets here pretty soon,” he said, suggesting that negligent cybersecurity practices could soon result in criminal charges rather than just financial penalties.

Dave added that regulatory enforcement has often been inconsistent. “If you do the math on some of these breaches and the dollar value assigned to them, it should have bankrupted some of these companies—but it didn’t.” The implication? Some companies are getting away with lax security while others may soon face real accountability.

But in the paraphrased words of Dr. Zero Trust - When a breach hits, buy the dip (this is not financial advice and you should generally take a mountain of salt to the information we share).

The AI Debate: Game-Changer or Overhyped?

As expected, AI was a major topic of discussion. While Dave sees AI as a force multiplier, he remains cautious about its long-term impact. “We thought personalized ads would be great, and now we live in an ecosystem nobody enjoys,” he noted, drawing a parallel between AI’s potential and previous tech advancements that didn’t play out as optimistically as expected.

Chase, on the other hand, is focused on AI’s practical applications, arguing that machine learning should be used to tackle major societal challenges. “We should be using really good technology to see where there are opportunities to do things better for people everywhere,” he said. But he also warned that AI will inevitably be used for malicious purposes, just as every technological advancement has been.

One area where AI is already making a visible impact? Cybercrime. Chase pointed out that threat actors are leveraging AI to improve phishing and misinformation campaigns. “The moment ChatGPT went live, various threat actors started to take advantage of, it” Neal added, reinforcing the reality that AI isn’t just a tool for defenders—it’s also empowering attackers. However, to OpenAI’s credit, they’ve recently released a report that indicates the levels of effort they have taken in the past year to disrupt threat actors from abusing their platform.

Filtering Out the Noise

Throughout the discussion, both Dave and Chase emphasized the importance of cutting through misinformation and hype in cybersecurity. Dave’s approach at CyberWire Daily is to prioritize accuracy over speed, ensuring that only well-verified reports reach their audience. “We’re not in the breaking news business. We’re aggregators. The value we bring is saving people time.”

Meanwhile, Chase stressed the need for independent critical thinking. “I tell folks all the time—don’t listen to me. Make your own decision. The data is the data, and the truth is somewhere in the middle.”

It’s mid-February, but somehow, we’ve already been through what feels like a year’s worth of change in the cybersecurity and regulation world. Beyond the standard incidents, outages, and attacks… there have been obvious impacts that have downstream effects. Regardless of regulatory changes, which we’ll cover as those impact our space, AZT brought together a few minds who have thoughts on the year ahead.

To properly kick off season four, we have the privilege of chatting with two wonderful guests:

Lawrence Pingree, VP of Technical Marketing at Dispersive, but you are more likely to know his name from his time at Gartner. However, he has a varied background ranging from CTO to security engineer, so don’t let that marketing line in his title fool you.

Oliver Plante, VP of Support at ThreatLocker, has around 15-20 years of IT under his belt. He also has seen a thing or two when it comes to implementing new cybersecurity strategies

What We Covered

In 2025, these are the elements we see becoming common themes:

• Proactive Defense: Shift from detection to automated, preemptive security.

• AI Risks & Benefits: AI aids security but also enhances cyber threats.

• Zero Trust: Strict access controls are essential.

• Quantum Threats: Encryption risks from quantum computing.

• Future Security: Passwordless authentication and blockchain for data integrity.

Editor’s Note

This week, Neal and I are off to ThreatLocker’s Zero Trust World (ZTW). We’ll be doing our best to capture episodes, interviews, and other info from the sessions and posting it back here.

From our Sponsor, ThreatLocker

Do zero-day exploits and supply chain attacks keep you up at night? Worry no more, you can harden your security with ThreatLocker. Worldwide, companies like JetBlue trust ThreatLocker to secure their data and keep their business operations flying high.

ThreatLocker takes a deny-by-default approach to cybersecurity and provides a full audit of every action, allowed or blocked, for risk management and compliance. Onboarding and operation is fully supported by their US-based Cyber Hero support team.

Get a free 30-day trial and learn more about how ThreatLocker can help prevent ransomware and ensure compliance. Visit threatlocker.com.

Embracing Preemptive Cyber Defense

Lawrence introduced a compelling argument for shifting the cybersecurity focus from detection and response to preemptive cyber defense. He explained that while detection remains vital, relying solely on it can be a weak point. Instead, there is potential for automated moving target defense and preemptive techniques to predict and prevent cyber threats before they materialize.

The Power and Challenges of AI in Security

There is no doubt an increase in the use of AI and the need to secure it. The multiple flavors typically start around implementing controls to reduce insider risks/threats, such as tossing your proprietary information into an LLM or configuring models not to share information with external audiences.

Both guests underscore the dual-edged sword of AI—its potential to enhance security and its capability to empower attackers. Lawrence shared a study revealing that AI could hack a website with an 80% success rate, emphasizing the urgency for new defense strategies. Neal added that AI has made previously complex tasks accessible, raising both opportunities and concerns within the cybersecurity community.

The Role of Zero Trust and Least Privilege

Oliver underscored the importance of Zero Trust and least privilege in thwarting unauthorized access. By enforcing strict access controls and granting permissions based on necessity, many security breaches could be mitigated. This proactive stance is crucial in a landscape where Zero Trust is no longer a luxury but a necessity.

Quantum Computing: Friend or Foe?

Are we nearing the post-quantum computing stage? If so, what are the potential impacts on cybersecurity? While quantum computing holds the promise of solving complex problems at unprecedented speeds, it also poses challenges, particularly in cryptography. The consensus is that while quantum-safe technologies exist, their true efficacy remains to be tested in real-world scenarios. It’s also likely that as the technology improves, encryption standards will be at risk, as will lower-bit passwords.

Passwordless Environments and Blockchain Applications

The largest tech companies are making it clear that passwords are not the way of the future. Between passkey and other related concepts, we are entering the age of passwordless environments.

As passwords become less secure, the panel suggested a pivot to biometric and alternative authentication methods. Additionally, the use of blockchain technology to ensure data integrity and security in document sharing is explored as a promising development.

Shifting Toward Proactive Efforts

Perhaps it’s a utopia where organizational leaders treat cybersecurity with respect rather than a cost center, and that makes it difficult to do more than treat it like a constant game of whack-a-mole. With how the threat landscape is shaping up, the emphasis on adopting adaptive security policies, such as Zero Trust frameworks, is underscored. As a panel, we agreed that the time for playing catch-up in cybersecurity is over. The focus must shift to preemptive strategies that anticipate and neutralize threats before they arise.

Catch this episode on YouTube, Apple, Spotify, or Amazon. You can read the show notes here.

Neal and I are excited to welcome you back to AZT as we kick off our fourth season. After four years of trying out different formats and episodes, including at least an entire season terrorizing vendors for slapping Zero Trust on their box as if it were something you could buy, we’re ready to narrow our focus a bit.

Reflecting on a Year of Change

Last year we focused on how organizations are implementing and shifting their cybersecurity strategy but found that this varies on such a significant level that it could make some episodes a bit hard to digest. Now, with regulation and deregulation reshaping the industry, it’s the perfect time to revisit some hot-button topics and provide a bit more context behind them. For example, why are organizations forcing passwords to be rotated on a time-based policy when NIST says that isn’t necessary anymore? How do we get people to stop using SMS for MFA? Or… are VCs positively or negatively impacting our space by throwing millions at buzzword tech?

And yes, we will certainly explore some of the implications and challenges associated with the new administration.

Call to Action: Get Involved

As always, we're eager to hear from you. If there are specific topics or guests you think we should feature, please reach out and let us know. This podcast is not only a passion project but a way to provide value back to the community.

Meet us at Zero Trust World

Catch us in Orlando, Florida, at Zero Trust World with ThreatLocker next week. We will record episodes there and would love to connect if you’ll be around. Look forward to content from the conference in late February or March.

Thank You for Your Support

Thank you for listening if you've been with us from the beginning or are tuning in now. Your interest keeps us going.

Stay tuned for more, and welcome to another season of AZT!

Catch this episode on YouTube, Apple, Spotify, or Amazon. You can read the show notes here.

Soft skills, or essential skills depending on who you ask, are often underrepresented in the cybersecurity world. We can code, connect pieces of a puzzle together to develop intel, fight back against threat actors, and yell at everyone around us for poor digital hygiene. However, the glue between all aspects of cybersecurity is communication, and the way we articulate and tell stories makes the difference between people absorbing the information to take action or watching their eyes gloss over and it getting ignored (and also money, it’s always a money thing).

This week we chat with Courtney Hans, VP of Cyber Services at AmTrust Financial Services, and Evgeniy Kharam, author of Architecting Success: The Art of Soft Skills, who help us explore how non-technical skills are vital in shaping the careers of cybersecurity professionals.

Key Takeaways

• Soft skills, often referred to as 'non-tech skills,' are essential for successful communication and collaboration in cybersecurity.

• Courtney emphasizes the importance of active listening and understanding stakeholders' motivations.

• Evgeniy discusses the necessity of curiosity and vulnerability in building these skills.

• Neal highlights the importance of tailored communication and how personal experiences can build presentation abilities.

• The discussion covers techniques like soliciting feedback, transferring excitement from fear, and leveraging personal passion in presentations.

• We all agree that continuous learning and exposing oneself to public speaking to develop these skills is critical.

Producer’s Note

As we sprint towards the end of the year, we can officially close out season 3 of AZT. With three full years behind u,s we have tackled what Zero Trust really means, heard from those who have adopted it, and taken many side adventures.

As we head towards season 4 we are looking forward to expanding our focus to a broader look at cybersecurity strategy, connecting you with experts to advance your career in cyber, and find other interesting stories to tell. As always, we love feedback and your ideas, so please feel free to send them our way.

That all said Neal and I produce this show for you, and we are grateful that you take some time out of your busy life to hear us blab on about topics we care about. We hope you have a wonderful holiday, new year, and may it be free of incidents and misconfigurations.

Breaking Down the Concept of Soft Skills

Are they truly soft skills, or are we downplaying the concept when we use that phrasing? Interestingly enough, those who embrace the gift of gab and persuasion often have a different variation, and Courtney is no different. In fact, she feels it’s important to reframe these skills as essential rather than secondary to technical proficiency. And, if you have had the pleasure of seeing her present, you certainly know she wields it with a force to be reckoned with and you can expect the entire audience to get involved.

That aside, she also shared some of her journey from an adventure travel guide to a cybersecurity professional, and underscored the value of communication and adaptability. Her experiences in engaging high-powered clients as a guide were directly transferable to her current career, emphasizing how understanding audience needs and tailoring communication are critical components of effective cybersecurity practices.

Unpacking the Spectrum of Soft Skills

Evgeniy expanded on the concept of soft skills by introducing the term human skills and outlining various contexts where these skills come into play. Like Courtney, he uses his communication skills to better the world of cyber by bringing people together in intimate settings. Think skiing trips with pockets of discussion rather than speaking at you on a stage. He emphasizes curiosity and vulnerability as foundational soft skills that drive growth and engagement.

Meanwhile, Neal, as both a speaker and practitioner, shared some stories about his transition from a military background to presenting on stages around the world. He highlighted the importance of getting over initial fears to focus more on serving the audience. He elaborated on how practicing these skills and receiving constructive feedback can enhance one's presentation abilities and improve interactions with colleagues and clients alike.

Strategies for Building and Enhancing Soft Skills

Through the episode Courtney offered strategies for building soft skills, such as actively seeking feedback and remaining curious. Both Neal and Evgeniy also stressed the necessity of overcoming initial discomfort to achieve personal growth. The discussion brings forward different techniques to handle fear and excitement, ultimately advocating for embracing challenges as opportunities for development.

Why Soft Skills Matter in Cybersecurity

The episode emphasizes that while technical skills are indispensable, soft skills are equally crucial in facilitating effective communication, collaboration, and problem-solving within teams and with clients. The ability to convey complex technical information in an accessible manner can differentiate successful cybersecurity professionals from their peers.

Be Comfortable Being Uncomfortable

To wrap things up the consensus among the hosts and guests is clear: To progress in cybersecurity or any technical field, you should aim to be comfortable with discomfort. This means continually pushing boundaries and welcoming new challenges, as these experiences cultivate resilience and enhance one's capabilities.

And while cybersecurity is steeped in technology, the human element cannot be overlooked. By leveraging soft skills, professionals not only advance their careers but also contribute to a more collaborative and effective cybersecurity landscape.

Show Transcript

This transcript was automatically created and is undoubtedly filled with typos. As usual, we blame the machines for any errors.

Elliot V: Hello, and welcome back to Adopting Zero Trust or AZT. I am Elliot Volkman, your producer alongside Mr. Neal Dennis, our host. And we have two wonderful guests today to talk about a topic, which is not quite around the realm that we usually talk about. Although I feel like I say that almost every episode that we are changing and talking about something new, but this truly is a little bit to the side.

We are going to be talking about soft skills. And if you're watching this video Mr. Denny who has been with us before. Has a wonderful shirt, which Courtney has

Courtney: I'm envious of it. I mean, we're going to have to follow up so I can figure out where to get one myself.

Neal: I want

Elliot V: So he came prepared,

Neal: iterate real quick, Elliot does say this every episode for the last 18 episodes, however, comma, I think the whole point of this has been, you never know what skills you're going to need to make everything from zero trust to cyber security a reality,

Courtney: True

Neal: that's why we're here, so it's all related.

I got to get it out of his wordsmithing brain to, to say that we got it. We'll fix him by the end of this meeting.

Elliot V: Oh, good luck with that. I will put heavy bets against them, but

Evgeniy: new, so this is actually very important part and was a motivation to write the book. One of them is we have many amazing engineers, many amazing boys and girls that have amazing brain, but in some cases. They have a hard time or they don't know how to speak the language that the other person wants to know.

I think one of the interesting examples I like to talk about it is if you put a developer and accounting in the same room and tell them, please only use the acronyms you use with your buddies, watch how is it going to communicate or not communicate. And you just provide a very good example of how you translate it.

Elliot V: You went that's pretty common. I'll be honest with you. Which is the worst part because I'm the comms guy. So I should be doing the translation, but hold on before we get too far into this. We need to do some introductions because at least we have one new guest here. So we're going to start with you, Courtney.

Who are you? Why are you here? How do we rope you into this?

Courtney: I'm well, partially here because I'm a huge fan of the Elliot Volkman style of communication. So thanks for having me on. And I'm here because I actually I think all of us are on the same page. I'm a huge proponent of the value and necessity of I don't even call them soft skills, I typically call them non tech skills.

I think sometimes when we call them soft skills, it makes them sound less important. And I don't think any of us think they're any less important. And some might argue they're even more important than those technical skills. I cut my teeth in my career as an adventure travel guide. Right out of the gate.

I had to work on my communication skills to get the job done and that's a skill that I Continue to develop and have brought forward into my cyber security career. So yeah excited to be here and talk about it some more

Elliot V: And I will say I was just trying or itching to find any excuse to bring you on here. So if anyone has had the pleasure of seeing Courtney present, it is some of the most engaging information and presentation skills that I have ever seen. So you are perfect for this topic. And I think you might have actually been presenting around the same time that Neal was at a conference that I hosted.

His approach is throwing candy bars at people, which I personally love, but you get people up and moving around and that takes a different level of a cat hurting.

Neal: To say people tend to move when you throw a king size Snickers at their

Courtney: no doubt

Elliot V: that's true. In fact, I'm going to steal that tactic for a presentation that I'm going to be giving in a couple of weeks. So we'll see how that goes.

Neal: I want to finish reintroducing but I want to call out that is not a tactic I use all the time. It was a tactic I used in a post COVID conference world where everybody was not really sure they should be in the room. And then Elliot has since made it a good Indirect branding for me on stage at certain moments in life.

So

Courtney: Well, I love that you said you don't use it every time because right everything comes back to context know your audience

Evgeniy: No, the

Neal: sometimes you got to bring paydays instead of Snickers.

Courtney: That's right. I would not be the audience for a payday bar.

Elliot V: All right. Jenny, you've been with us before you have. I don't know you, you're like an organizer of chaos in this world of cyber security, you bring people together in physical at conferences of your own sort. You're a voice, you connect people, but I don't know. What else would you like to expand? Obviously you've been here with us before, but oh, you're an author now.

Look at that. All right.

Evgeniy: Leave me by mistake. I have a copy of my book here with me. Maybe another hundred zero on the box that are near me as well. But I am an author. I think I realize, you know, the expressions that. A good son, I think a daughter as well need to what have a put a tree build a house bring a child So I think to make parents happy we need to write a book because when I saw my dad And he smiled when he got the first copy I'm like, oh my god, if I need if I knew the only thing I need to do is write a book

Elliot V: I'm going to keep that in my back pocket for no reason at all that I will not open up personal conversations with, but I love that.

Evgeniy: I am an author it took some time. It was interesting enough. People ask me How long did it take to write a book and like about a year like that's it I was like, actually, no, it took me a year to figure out what I want to write about. And then it took nine months to actually write the book. And then it took three months to kind of polish and do the production in the end.

And it was also interesting that I still need to write the blog about the journey of writing the book, because I learned a lot very, a lot about some of the things you need to think about when you're writing, like the marketing. Right when you're writing the book and not later on, but when I finished writing the book, my first idea was, okay, I need better testers.

And my editor was like, what do you mean by the testers? They're like, what do you mean? I cannot just publish something that I had to know if it's going to work. We need to make sure there's a good audience beside my idea people I'm talking to, or somebody need to read the book. And he's like, why would somebody read the book?

I'm like, I don't know. I'm going to ask them. that's it. He's yes.

Elliot V: Love it.

Neal: on a fun note I'm mulling over Ellie knows I'm a horrible guy at actually follow through on certain actions. I come up with a lot of great ideas, but I need people like Elliot who are the actual doers sometimes to make the things in reality. But that being said, I am writing a book on cyber history.

And and I call that out only because you say it only took you nine months and three months, but really as an author of any content or as a musician or anything that you're producing, it's a lifetime of experiences that go into creating that. So props to you for capturing.

Evgeniy: I will definitely will be happy to talk to you about the history of cyber security because I'm wondering which history you're writing, you know, cyber security is like an elephant and you put the blind people around it and everybody touch a part of the elephant and asking what it is for somebody say it's a year.

It's a lag. It's a belly. So I'm wondering which direction you're taking because I spent a lot of years in professional services and architecture. And it's a one aspect of cybersecurity and hacking pentesting. It's a different aspect of cybersecurity. Sock and defense is a different aspect of security policy and creation.

So I'm really intrigued. Where are you taking this? Cause I had an episode with a company a few weeks ago when we spoke about the history of seeing soar and all this part for last 20 years, it was very interesting to talk about it and why there was less events, for example. Sounds

Neal: that rabbit hole at some point in time.

Elliot V: thought you were going to tell me that you were going to move forward with this

Neal: Oh, the pot. No, that's still happening.

Elliot V: he's gonna he's gonna author a book instead. So I do want to provide some context. This episode sort of directly aligns with something that I was terrorizing Neal to do for quite some time.

But he

Neal: going to happen. I've got people lined up. I just.

Elliot V: I'm not guilt tripping right now. I just want to add a little bit of extra flair and context. Yeah, I'm guilt tripping. The reality is, there's just a lot of passion that comes out of Neal for this. Plus, I think we can all pretty much generally agree with there's a lot of different stories in our space of is there a skill gap?

Is there a talent gap? That seems to be shrinking or whatnot, but soft skills or however we want to position them are often not really brought to the equation or elevated to the state that we should be. So that is why we're spending a little bit of extra energy and time there of how you could spend.

Some of your own time to invest in those skills, what it brings to the general community, stuff of that nature. Courtney I'm going to just throw this right over to you again, because you are a fantastic presenter. Not that our other wonderful guests and our host is not, but you know, you obviously have a craft that comes alongside your technical skills.

That didn't just appear overnight. Maybe it did, but maybe you can tell us a little bit about why you know, Offer yourself out to the community and share your insight and how you kind of build the narrative in your mind. Essentially wrapping it around to the necessary skills with soft skills.

Transcripts provided

Courtney: started my career, I'm a more recent entrant into cybersecurity. So I've only been a practitioner in this space since 2020. And before that, like I said, it was an adventure travel guide for an active travel company for about a decade got my MBA and did, as my kids say business for another decade before moving into this.

And one of the things I always think about When I talk to other folks that are interested in either beginning or transitioning into a career. in the security industry is transferable skills and skill sets they need to build up. To your point, what are their current skills gaps? And you see, I think we all see a lot of conversation around, you know, do you pursue this certification or that line of study or this niche?

And not as much it's, I'm seeing it more lately, but not as much focus on what are the non technical skills that you need to develop. We see that a bit in conversations around, you know, See, so readiness, you know, are you are you a technical CSO or non technical CSO? Do you have a good sense of business acumen?

Do you have an MBA? Do you need an MBA? That sort of thing. So we're seeing that in more senior roles now, at least in the discussion about necessary skills. But I think there are so many other folks in the beginning or medium stages of their career that are either trying to figure out how to make a move, how to push their career to the next level, or maybe it's even just that they're trying to figure out how to get.

broader stakeholder buy in. or they're in sales, something like that. And that comes back again to knowing your audience. So when I think about my days in adventure travel guide, I was, Elliot's heard this before, I think, but I was, you know, like 22 fresh out of college, given the keys to a 15 passenger van company credit card.

And I was the product in the field, right? Adventure travel guiding all over the world. And we would get Pretty high on clientele meaning we'd get folks that were, I say type A, very accomplished in their day jobs, very used to calling the shots, and I as a 22-year-old , which, you know, I lead on that age 'cause I didn't look any older than I look now, so I definitely looked younger.

I'm trying to encourage these folks that are older than me accomplished in their careers, used to getting their way, calling the shots, and very quickly had to figure out how to make my ideas, feel like their ideas. So when I was herding those cats. They would go in the direction I wanted them to go in thinking all the time that it was their idea.

And I don't mean I was trying to manipulate or anything like that. I mean, I was trying to identify what are their motivators? Why are they here? What are they looking to get out of this? And that started, this is relevant. That started with a welcome. The very first day of a trip, it'd be like a six day trip, for example.

And the first thing I would ask folks when they would introduce themselves is What do you hope? Why did you choose this trip? Why? What are you hoping to get out of this week? So if we were say in the California wine country, which is an excellent spot for a bike ride, by the way, if we were in the California wine country, I could figure out, are they here because they're really excited to log a ton of miles and they just want to get after it and get their, you know, their physical exertion on.

Are they here because Their spouse really wanted to come on a trip and they like wine. So they want to discover the next new wine spot. So I could figure out how to encourage them to follow the run of show, if you will, in a way that fit in a broader group dynamic, but still delivered on their own on their own internal desires.

And that, I think. To me, that's, it's pretty clear how that can be applied to a cyber security environment. You've got stakeholders across all number of disciplines, right? Finance folks, marketing folks, operational folks. Everybody's got their own goal set and personality types. And, When you start a new job or when you're trying to get buy in for a new project, you've got to figure out how to put yourself on the same side of the table as those folks, so that it's a coalition build instead of a, this is what I want, how are you going to help me get it?

So yeah, so that's, I think those soft skills start with active listening, right? That's maybe a cheesy term now, but it's so true. Figuring out Where is this other person coming from? Not just what are their maybe business goals, but how do they like to work? Do they like to chat on Slack? Do they like to have a little informal chit chat at the top of a meeting or get right to it?

How do I work in a way that minimizes interpersonal friction to deliver the best results in a way that is compelling for both of us? And that's not something that folks are getting from Slack. Maybe traditional educational routes or bootcamps. I went through a bootcamp myself. I've, there's lots of discussion about bootcamp and what kind of skills they set folks up with.

And I enjoyed my experience, but I also came in with a whole, you know, two other careers before me, before I went into something like that and I built off of that. So that was kind of a rambling answer to your question, Elliot, but that's that's where I started building it.

Elliot V: Yeah.

Neal: You just basically described my entire work life balance for the last four and a half frickin

Evgeniy: wanted to add something to Corky, because you started to talk about it, and first of all, I'm really fascinated by what you were saying. I also like adventures, something we can talk about later on, whitewater, canoeing, kayaking, skiing, snowboarding. We've been talking about soft skills for the last, probably 15 minutes.

But I think for the people that are not familiar with the idea, you mentioned this, not technical skills. Some people mentioned this as a human skills. I think there is a big variety of soft skills. And I also like the idea that we have soft skills and we have places where we use soft skills, like a presentation.

By itself, or if speech is not a soft skill, but there is many parts where we use self skills in the presentation being on a video call is not a soft skill, and I have a chapter about video calls in my book and people like WTF, how soft skills is like, because we take a lot about soft skills and put in a video call.

And this is our main way to communicate. So maybe we can spend two or three minutes to talk about what are soft skills from each of us. So for me. As Courtney, as you mentioned, there are no technical skills. So our skills will be something that we expect. A similar answer all the time. Chemistry, mechanics, mathematics, programming, and soft skills are very dynamic in my mind, where they can change and require quite a lot of understanding of the other person.

I have this joke, What I'm presenting about soft skills and I'm going to chat GPT and I'm asking how you're doing. How are you doing? How are you doing? They're getting the same answer. I'm good. I'm good. How are you? How can I help if I'm gonna ask Elliot Courtney O'Neall? How are you doing? How are you doing?

How are you doing? You're gonna punch me in the face after the first time and you will be right, you know Why because I need to pay attention, you know, there's different ideas So this is one part and I think from my perspective You There is two core ones that I think are important. One is curiosity.

If you're not curious enough to understand what's happening around you, you're not able to move yourself, move the needle. The second one is vulnerability. Is actually open up. And try new things, try to ask if you're a salesperson, if you're going to buy this, if you're an engineer, you might probably going to work, or you can ask for more money or different table or whatever it is that you require to actually open up and be vulnerable there.

So this is my tool can talk more, maybe somebody else want to contribute.

Elliot V: the next

Courtney: Both of those things. I think about the more you step outside your comfort zone, the bigger it gets. That's part of back to your original question, Elliot.

Why do I present? It makes me uncomfortable just enough that I'm like, okay, this is good for me. And that vulnerability, I think that's acknowledging that there are things you don't know and that you want to continue learning. And I tell folks that are interested in security as a career That to me, those two, you just nailed it.

Those two things I think are critical to success in that field. You have to open yourself up to the fact that you don't know everything, that you never will know everything and that constant learning, mild discomfort and curiosity for what's next is what's going to propel you forward.

Neal: think those are awesome calls. It's a great summarization of Rex. And so for my part, you know, this is whether I'm working in a consultative fashion, pre sales fashion, post sales. You know, the conversation dynamics are always different. And what I have to do for my day to day. And I, at my company, Deja, cover that entire spectrum.

So I get people on a call that it's, sometimes it's the first call. Sometimes it's the first meeting. I go to conferences, present. First time meeting someone who's interested in whatever it is we're doing. And, unfortunately for them, usually their first impression is they sat in a room and saw me on stage.

Fortunately for me, it makes it easier because they have questions preemptively to come out and comment. So it gets the dynamic out of the way pretty quickly for my sake, but sitting at a booth at a conference, soft skills, being able to sit there and look at the guy who's wearing the suit and tie versus the guy wearing the shorts and a t shirt and not automatically assume the guy in the shorts and t shirts, the tech guy, but understand your audience when they come up to the table and be willing to look and observe what's going on around them, look at their badge, understand that this is SVP of this versus Intel analyst of that.

And tailor your responses and expectations of that conversation until you have a reason to shift. I think a lot of people, especially in sales, get fixated on the slick sheet they have in front of them, and they read it, and that's it. And this goes for both sales engineers, new ones, more as well as the sales rep themselves.

And they're not willing to open up, like you both mentioned, and be a little more engaging to truly fact find or build some kind of temporary, potentially long term relationship, hopefully. With that persona and in sales, it's a requirement. If you want to really have a good sales cycle to have a relationship post sales, where I sit most of the time, it's a requirement.

Evgeniy: we need at least two hours to finish this episode. You know, there are

Neal: Yeah. Oh it's ridiculous. And I, Elliot knows this. I practice soft skills, non tech skills very well, but I am not a non tech skills person.

Evgeniy: How do

Neal: put me in a room, I'd rather you

Evgeniy: Okay, we didn't finish what are soft skills, but how do you practice?

Neal: I, so I'm very similar to Courtney. I started off my journey in the military, right? We're mostly aware of that. And my presentations were in front of very highly ranked individuals. My first time doing presentation, my very first presentation to anyone outside of my watch chief was to the, our ambassador to Columbia, along with the president of Columbia at that time.

That's the first presentation I ever made. And it was amazingly horrible. I hate, I despised 110 percent presenting in a room of people, whether I knew them or not. But to your point, it's you practice it, you read the books, you learn the skill sets, you go do things, you make yourself vulnerable and put yourself out there.

Five years ago, had we had this conversation, I would have told you I hate getting up on stage. 18 months ago. I tell you, I love it and I learned something every time I get on stage and I legitimately enjoy presenting and engaging with people in some way or fashion to do that. But it took me a lot of steps to get there.

Took me a lot of these types of conversations. Two years ago, podcast idea. I said yes to Elliot because I like him. And because I'd done a lot of podcast interviews, but that didn't mean I wanted to actually do it. I enjoy it now. Let's me be up front. But it's a learned skill. It has to be very few people come out of this world and can understand people dynamics.

You have to practice it,

Evgeniy: I want to add something, but before maybe Alex, you talk about your soft skills and your definition, because I definitely want to add something about the experience and like the motivation of public speaking as well. And my first interview my, my first public speaking experience.

Elliot V: Yeah first of all, I appreciate that you are taking over asking the questions because that will go right into where I'm going with this, which is. I actively try not to participate in the soft skill opportunities where I bring as many people to the equation. So I get to just hang out in the background.

And when there's like an opportunity, if I have to, I'll say a couple of words and that's it. That's my soft skills in a nutshell, but mostly joking aside. Just forcing yourself to be way outside of your comfort zone. Like I am a introverted hermit. I don't go out in those kinds of situations.

Yeah, exactly. Like you have to push yourself out to be able to do that. Because if you live within your comfort zone, you're never going to be able to experience those things. So podcasts, videos, webinars, the amount of stupid, goofy things that I've recorded with myself on that just pure embarrassment follows it as soon as I hit publish.

I'm like, This is the dumbest thing I've ever put together, but you got to do it because people like it. You just got to ignore your own feelings and emotions connecting to that information if you also are aware that the information that you're doing in that format will land. Well, sometimes you just got to make yourself the guinea pig of it.

Courtney: We're fine with MVP in a software world, right? Like, why can't we find with MVP in our own personal presentation? It's feels so scary. I think

Neal: just an anecdote on him. When we first met, I had worked at a couple of different product companies. Done webinars, done a limited amount of in person presentations on stage prior to that. I've done a lot of news interviews, courtesy of my first public job, my first private sector job at Arbor Network.

So that was a whole weird set of skills to learn how not to get quoted wrong in news, but when I'm, this is sincere. When I met Elliot here he was the first time I met a marketing person that knew how to manage the non, the more technical me versus the non technical me. I'd already developed a lot of relationship skills, but Elliot knew how to put them on paper and actually make heads or tails of my ramblings.

And for the time that we worked directly together, legitimately made me a better person and presenter, because I think he sleeps on a copy of How to Win Friends and Influence People. I probably stuffed in his pillowcase.

Courtney: you're right.

Neal: But Elliot, regardless of his introverted nature Elliot has some epic people skills on how to manage rooms and manage Manage conversations,

Elliot V: Yeah I will. As much as I hate taking any of that kind of positive reinforcement feedback I will at least accept the Peacekeeper type title, even though that is not internally how I approach things. I would love for it to just be decisive and say, it's this way, but we don't live within that reality where we can just take a single route.

Unfortunately, compromise is a very necessary measure regardless of how organizations typically run. Oh,

Neal: but like Courtney mentioned, learn how to couch it the right way and make it their idea when it's yours. That's leadership. Managing the manager. That's another book.

Courtney: Managing up. Well, or like you were just saying, like the context that there's another soft skill, I think is looking at all the different contextual clues in any conversation, and that could be when you're talking about, maybe it's a project kickoff meeting. where you've got multiple stakeholders there and you're in taking the technical specifications of a project, but also the personalities, the overarching business goals knowing how to put those different and disparate, often disparate pieces together to paint a fuller picture.

I think that's a soft skill that a lot of folks, if they've just been tunnel view technical can miss sometimes. So that's, Taking in those little, and it's emotional intelligence, I think too. So video conferencing, right? It's different now in the post COVID world where we're doing a lot of video conferencing.

Where I think a lot of folks are you know, maybe I'm fixated on a sticker in the background of Neal's of Neal's background, and I don't catch, you know, a facial expression on a, to a, you know, something that I mentioned. Learning to take in those different physical cues on a video conference is different than it was in physical, in the physical landscape.

But that, again, I think just feeds back into. Pulling in all those different pieces and looking at how they inform the broader picture. You know, this true crime TV shows where all the strings are going in different directions. That's a soft skill. I think.

Neal: So on that, one of the greatest things I think I've learned is how to be willing to reinterpret whatever it is I'm saying and or presenting in various ways, right? As you learn the room, as you learn the personas and having someone or group of people who can present. Idea A, but make it seem like B, C, D, E, or at least different iterations there.

That goes back to it. Once again, how do you influence that persona into a positive outcome based off of what you know your requirements are? And I going to use this word very purposely. You are intentfully trying to manipulate a scenario for the betterment of you and hopefully that person as well.

And so it's a little inception. How do you get the right words and marketing term? I, what is that? The SEOs, right. And other stuff to get things to pop off in the right direction. I don't know.

Elliot V: Close

Neal: that's essentially what you're doing. You're trying to get the right keywords into their brain and you're trying to figure out what those are for their eyes to light up and go, Oh yeah.

And go that way. Yeah.

Evgeniy: which is a very important part. I'm a second time immigrant. English is not my first language. English is actually my third language. I used to speak very fast. I used to mumble. I used to eat at the end of the sentence. And it was quite horrible in the teenager part, especially when you just started to date.

Elliot V: able to

Evgeniy: Long story short, when I moved to Canada and I required to present. Not in the conference at first, just to customers, explain the idea, explain what we're going to do, explain in the end what we did. What I realized is not what I said only, but how did I say it and how they made them feel. It's actually how the book starts as well. And I learned when I, and it happened almost by mistake because I was very excited about the architecture, the design, the clustering of the firewall, how it's working and failing over people like, dude, there's no way you're so excited about this topic. It's probably true. There's probably have to be the way it's working.

And I started to incorporate in my presentation. I would basically take the passion and kind of dial it in as much as possible. And we'll be very vocal and explain how it's working. And yes, Texas wasn't the best. I still don't understand the accent. It's who are you and for where you came? But in majority of the other places, the idea of bringing passion and dialing the passion and the excitement of your topic really work and people like, wow, there is something there.

There's something happening. And definitely when you love to slow down, when you learn how to take the filler words and make pauses, when you know how to hold the pause to know when you know how to lower your voice or bring the voice up definitely helping. And I did went and did an training for my voice training with a therapist.

And I actually learned how to think it didn't really work out. I'm not thinking, but if he helped me quite a lot, where he's dude, forget about the accent. You're totally fine. Just do be yourself. You have a low voice. You have an accent. People are going to remember you as you are because you have such a unique voice.

And it really helped me. And he made a very interesting part. And it's not the part observation. We as a human being, if we have a back pain, we'll go to a doctor, if we have a tooth pain, we'll go to a doctor. If you want to have a haircut, we'll go to a stylist. We'll go and say, I don't like my voice.

I'm going to go to a voice therapist. I'm going to go to a speech therapist. Almost none. Besides that, if you're not presenting and recording and have a podcast, you're not going to record yourself on the phone. And try to analyze your voice. And with AI, there are so many amazing products right now that tell you literally you've been saying, aha, too much, or, you know, or you like, or you're taking over the conversation. And it's, I don't know if you know, it's not even soft skills. It is part of soft skills, but there is side soft skills when you can help yourself. You don't need other people for that to start, but I definitely recommend everybody's listening. Just for the hell of it to record yourself. Listen to yourself.

Don't worry. You're gonna hate yourself It took me eight months to be okay with my voice And if you know anybody that teach piano teach voice development go for a lesson or two Understand your voice if you want to go even deeper try to describe your voice How does your voice sound like in writing? Is it?

Playful. Is it catchy? Is it direct? How do you communicate? You'll be surprised. This is a weird thing to do, to try to describe your voice in writing.

Courtney: Yeah. Yeah.

TryHackMe to TCM Academy, Free Microsoft skill, you know, training and so on and so forth. And it's harder for folks to wrap their heads around, how do I get assistance to up my game with my non technical skills? Everything from, say interviewing, right? People have a hard time, maybe they're landing interviews, but they're not getting job offers from their interviews.

How do they get help with that? Do they, can they put themselves out there and make themselves vulnerable enough to, you know, ask a friend or a colleague or former colleague Hey, can you do a mock interview for me? That's really scary. I mean, I don't love interviewing. Don't get me wrong, but it doesn't keep me up at night.

But even for me, someone who's relatively comfortable with interviewing, that makes me feel warm and hot. Just to think about asking a peer, just do a mock interview for me. When I've helped students go through say like coding assignments or security engineering assignments and soft skill assignments, then the number one thing they've struggled with is a video recording of them giving their sort of like elevator pitch about who they are and what they stand for.

That's by far their worst assignment.

Evgeniy: Courtney, how the hell, excuse my French, they can be okay with that? If all the studies and every podcaster I know tell me right away, when we started, we hated our voice. I don't know anyone that record themselves and say, Oh my God, I sound so amazing. So you expect someone that never recorded themselves to record under two minutes or five minutes.

Now you have to tick, tick tick, tick your dad to record themselves. Then they're going to listen to themselves say, Who the hell are you? How do you speak? I me, Evgeny, me want to deploy firewall. Let's do this. So this is wrong on our end because we don't teach people. We don't explain to people.

We make them kind of become a machine without being ready because in real life, they're not going to communicate with that. And really, you were trying to say something And

Neal: I was highlighting the fact that Elliot was born with the wonderful golden vocal cords there. Him and Chase Cunningham heard themselves speak the first cry and they were both like, yeah, we're sexy. But that being said I completely agree. I, that, that was a legitimate fear for me transitioning from FaceTime.

So most of those things I did in the military were never behind a mic. They were always in a crowded room of people waiting to judge me in my uniform more than my presentation skills. It's all right. I'm a Marine. I got that one on lockdown. But when I had to start speaking on a microphone for the first time and legitimately hearing how I was presenting myself, it wasn't something that someone came up and said, you should practice this.

I just thought, Oh, I'm going to get on the mic. Everything's going to be fine. I picked up the mic for the first time Holy crap, I sound like a screeching eel. Let's move this forward as quick as possible. And then I know for a fact, I rushed through whatever that presentation was. And I think I was nervous enough about the whole thing to begin with that it slowed me down enough to where people don't complain as much.

That's still how I felt about it. Right? So true facts, listen to yourself, understand what, how your inflections and affectations are being presented and figure out how to make that impactful and get over yourself as I needed to. And now when I go into a room and I pick up a microphone, it's yeah, okay, cool.

I'm fine with this. I'd rather not, but

Evgeniy: talk about fear because we mentioned fear several times. Fear from executives that are coming to a trip, fear to talk on the phone. Courtney, you mentioned something that I really want to touch base. Fear slash a bit of excitement when you're going to present because you're pushing yourself out of the comfort zone.

And in a way, I kind of hate the idea when we have all this training. Let me help you remove the fear. Let me have you do something else. No, fear is good. Because if you see a kitty cat on the street, awesome. If you see a lion on the street and you're not scared, something's wrong with you. If you're going to present to one person and you're not scared, okay, when you slowly going to present to 2, 3, 4, 5, 6, 15, 20, 100, this here, Courtney, has actually measured.

It's kind of scary, but it excitement as well. And I was talking to a person a few months ago and they make a very interesting analogy. Fear is something we don't know the outcome. Excitement is the same, but we know the outcome.

Courtney: That's just what I was going to say. One of the best reframes I ever read was article about people interviewing Olympic athletes right before a competition. And they'd ask are you scared? Are you nervous? And they're like, I'm excited. And it's the same feelings, right? It's the same feeling in your gut.

It's just the athletes have figured out how to frame it more positively. And yeah, to your point, it's same. You're invested in something you don't yet know the outcome of and it helps tap into some really good energy. All you have to, not all you have to do, it's not as simple as that, but one of the things you can do to help harness that

Evgeniy: You need to transfer it. Yes. You need to transfer it to something good. And there is also the other expression. If you have a problem, when you understand that, okay, this is a problem that part of the solution is to understand when is the problem start. So every time you're going to present, and you know you're going to be scared, excited.

Oh, okay. I know what's happening. Oh, now I can do breathing exercise. I can do physical exercise, like literally. When I started to present, I'll go to a washroom, sit down and do box breathing for four minutes to calm myself down and go to the flow. Or we'll do like rotated exercise to kind of calm myself in.

But now I know what's going to happen. And I'm still afraid and I'm still excited. The more is like 500 people. Because, okay, 500 people is relatively new for me. 200, it's okay. You know what was actually interesting? When COVID started, and I'll start to present this is strange. There is no energy.

I don't know how many people is there. It's I don't feel it. But then, in the end of the COVID, it's again, I need to present. Okay, where's the wall? Where's the microphone? I will talk to the wall. But you don't know if it's one person, or if it's 500 people on the other end.

Neal: I think it's fun for my journey getting started doing all this. I passed companies before I got to where I'm at. Like I mentioned, public presentations in any vein. Fate, like legit in a room was limited to still government interactions. Funny enough, I did a lot of stuff within the ISAC communities, limited stuff there, but it was with the peer group.

Usually the people had already talked with a lot. I still didn't really feel comfortable, but it was a more comfort zone for me and typically not on a microphone. And my public presentations were far, few and far between up until the last COVID timeframe. Now I'm on stage. I just, since August, I've done six presentations, six, seven presentations at different conferences.

Right. And it's a cyclic thing because of how the conferences echo to work. So I get on stage probably about 15 times a year for varying things. However, comma, whether I presented it before or whether it's a net new presentation, I've grown where originally I get up on stage. I didn't really sweat buckets, but I definitely sweat I definitely had to clear the phlegm out of my throat a lot more than you should being up on stage And so i'd have to go through a routine where i'd sit off on the stage for a good five minutes Just letting it all build up, you know Whatever I could to clear out my throat and it was just that hesitation factor in the back of my body Like what's about to happen?

Are you sure you really want to do this? You're not the guy that's supposed to be doing this just go do it and then you get up on stage 10 minutes into it. Everything's fine, but I still There's always a little bit of trepidation, but not out of fear. It's more out of Am I really doing the right service for my audience and even if i'm not Correct.

Yeah, it's transitioned from me worrying about me And i've always wanted to be stuff that was valuable but getting to the point where I could stop fixating on myself Outright and how I felt versus how the audience was going to actually be engaged or if I was doing them a service And then

Evgeniy: important point. Sorry, I can't do this. I didn't want to

Neal: no, you're good and the last piece Transitioning from that focal point and now my trepidations are fixated on outright soliciting for feedback and not worrying about that feedback, right?

When we finish up a conference, some of these places I have do feedback surveys within the room. I always want the checkbox to be good on presentation, 100%, you know, did I get it as close to a 5 as I could as a presenter? And then my material, if someone marks low, medium, high, that's where I focus.

I've got the five on presentation most of the time, I'm happy there. Now I can legitimately quit worrying about that layer most days and worry about how the content is consumed and if it was legitimately valuable. So I still worry about it, but I don't worry about me. I worry about my actual content. And is it valuable?

Evgeniy: The interesting part here. So first you mentioned about what you think about on stage. For me, it's still sometimes very surprising when I start speaking and everybody's quiet. I'm like, why is it so quiet? Is it literally listening to me? Like seriously?

Here

this, one of the psychology part. And. It's very interesting because as a human being, we can only focus on a few things at the same time, not multitasking. Like we can drive the car, we can pay attention to what's happening around, we can shift the gears, we can be on the phone.

So we have enough focus point to do four or five things. Why it's important because if you're scared that you're scared about delivering the presentation, you have less focus point. On pay contention on new material and less focus point to paying attention or the audience and what they're doing If you transition performing or according to sayings The idea of being scared to have the excitement and then near as you're saying I'm less concerned about me right now.

I'm more concerned and I'm more focused on the other part because I'm doing a service for the other people. I'm not here to shine. I'm here to provide information, lesson, and whatever it is we're doing as part of the presentation there. So your focus points are changing right now. You can pay attention to people.

Are they interested? Maybe you need to modify something. You need to be louder. Maybe you need to be quieter. Maybe you need to be slower. Maybe you need to be faster. So fascinating.

Neal: And to be fair, you still have to teach yourself to be a good presenter because it leads into being able to do all of what you just mentioned. I think being able to get over yourself to build into being a good presenter, that's the initial hurdle. The rest of it comes once you figure out that they're not in there to throw soup cans and tomatoes at you.

They're there to do something beneficial, right? I think that's where most people maybe get the initial hiccup is they really legitimately are concerned about direct personal critique, not content. Initially, they're worried about, did my voice crack here? Did I cough too much there? Did I sneeze at the wrong time?

Things like that. The reality, once you get over that stuff, you can work on the legitimate skills

Evgeniy: too much into the microphone, you know,

Courtney: Yeah. But you raise an important point to back to your earlier question of Jenny what are soft skills? I'd say the ability to not just take, but solicit proactively solicit feedback is critical, right? I have told other folks, I was like adverse adversity to, to feed or averseness to feedback to me is a career limiting move.

Not only should you be graceful in your reception of it, but you should be seeking it out. And then how do you take it deep? It's really easy for many of us to get defensive and want to explain ourselves like, Oh no, that's not what I meant. Or, Oh, it's because of this or whatever. And that's a natural human inclination, I think.

But to sit there and let your feedback giver. Run through what they have to say and just absorb it. Thank them for that feedback is hard to do. And you might have excuses or reasons or things to come back with, but unless they're asking for those now's not the time to give that. Right.

Maybe at a later time, I may have misunderstood what your request was there. Next time. This is what we'll do to make sure that we're clear. What have you, but. Again, not just being receptive and graceful in accepting of critical feedback, but in actually finding opportunities to solicit it in in organic way, right?

It's not helpful if you hit up your boss after every meeting, be like, how was it? Was that okay? That's not

Evgeniy: and

Courtney: anyone any favors.

Evgeniy: Like I call in a book. I only just myself is called it Be able to guide someone and be able to ask for guidance. So Neal you did post sales I did post sales as well. You did pre sales Courtney. I'm not sure how much you have interaction with customers If you do custom success or whatever It is an important part.

We're not even talking about sales right now that you can be on the call and you can ask the customer, Mr. Customer, can you guide me? What's the best way to resolve X, Y, Z, or Mr. Customer. I'm going to guide you right now. What's going to happen in the next week, us working together. When I, this post sales with firewall, and this is what I guide people as well, that work for me.

You come into the room and you say, Hey, we're going to have five days with you. This is the plan for the five days. This is some of the high level tasks in the end of the day, like Mark, what did in the morning, you come in, okay. The plan for today is this. You come all the time, guiding the customers and then know what to expect.

It's going to be easier for them, but at the same time, like Mr. Customer, are we doing what you want? Are we going in the same piece? Are we too fast? Are we too slow? And this could be happening in every place. When the customers call you and screen with you, this is maybe the time to shut up and listen and have the active listening.

Let them, this team come out and then explain how we can help. There's a lot of dynamic when and how to do it.

report,

Courtney: Yeah. That's back to that emotional intelligence piece, I think too. And everyone's the hero of their own story. Right. And so if you are trying to convey. your ideas or you're trying to help someone, help them be their hero. That's part of why when when I do presentations, I look for ways to engage the audience as much as possible, right?

Nope. Not many people really like to be talked at, and there's a time and a place. Sometimes. We have to talk at people like safety talks, right? You're talking about what I'm always a white, whitewater kayaker and rafter to you have to give a safety talk. That is a talking at someone's situation. That's not the time for creative brainstorming.

But when you're trying to convey an idea or get some consensus building. That is the time for participation, I think, and let folks be the steward of their own story, and that can be everything from, again, just short, simple exercises, or thought provoking questions, or, you know, when I'm presenting, if I have the opportunity, again, every audience is going to be different, but have the opportunity to bring some audience members up on stage, Thank you very much.

Or get people up and moving. The last presentation Elliot taught me give, I had the whole audience getting up and shifting seats. And I connected that back to, you know, disruption of expectations. So if there are physical ways. or at least verbal ways to get your audience to engage, then that engages other pieces of their brain and help them reinforce that they are an active participant in whatever story you're telling and that this is their story to tell as well.

So yeah, time and place for talking at, talking with, and co creating a story.

Neal: I think could get everyone ever to work in a handful of jobs to get good people skills, one of the things I think has been beneficial for me, I started off as an Intel analyst and other things, very, once again, non soft skill oriented Marine. You told me point and click, I point and click, you can fill in the blanks with what that was I was clicking.

That did not require soft skills.

Elliot V: about

Neal: Quite the contrary, I had plenty of moments where I told people on radios to piss off because I didn't like them. But that was the earlier me.

Evgeniy: Did you use soft voice, Neal, or no?

Neal: guy, oh man, there's times I wish I would have. I probably wouldn't have had so many issues with my paycheck later on.

That being said, you know, the one thing I think for me personally that helped a lot, military included. Military, It teaches, at least the Marine Corps, Army, Air Force, Navy, and the rest of the ones that nobody likes to remember do very similar things. But I think in the Marine Corps we do this a little more focused because we're a smaller grouping, but going to boards simulates doing job interviews.

It simulates a stressful environment of being critiqued and answering things. I have taken that and I've applied that here in the private sector at times where, whether it's onboarding someone just in general and then we ask them to do a product reset, a product company, get a new hire that I don't care if they're a sales engineer, a sales rep, or a VP of marketing.

You know, you go through, you learn something about the product and you present that back to us as if you were doing a sales pitch of some sort or a demo, whatever it may be. And you're doing that in front of three, four other people. And the idea is just to see how those soft skills are. After we've already hired you, we've done a little bit of that before.

Maybe we're not hiring you for a soft skills job, but we still need to engage you and we still need you to have an understanding of what it is we're offering. So you present it, we critique it, you go back and rinse, lather, repeat. And so it's kind of like a board review. It's a going to a NCO board or something like that in the military.

And that's how I like to treat them. Gives people the experience of being critiqued, whether they've had it or not. Gives them a chance for rebuttal as part of the format. And then it goes back. There's wonderful examples of that all across academia. But that's the one thing I like to do, push them into a consultative mentality, allow them to present and then allow them to present the solution post critique.

Elliot V: All right, well, thank you all for joining us and Courtney for being a 1st timer to the podcast and certainly will not be the last time. But this is. I just want to reiterate is super important. As we push back and address the skill gap versus employee or talent gap scenarios, and also just trying to help support and push security practitioners further.

things of this nature are super beneficial, especially as you want to more effectively communicate findings and things that you're identifying. I find that personally effective, especially if you're going towards like threat intelligence world, where you're trying to articulate a full story instead of just like one little speed bump that you're trying to walk through.

So I really appreciate y'all providing some context, some background, some of your journey and how it You kind of experienced some of these things. But if I could sum this up very quickly, it is just be uncomfortable or be comfortable being uncomfortable. I think that's the way there it is. All right.

I got it. Right. But that is it. That's the end of this episode. We really appreciate you joining in and we will see you next time.

Courtney: you.

Announcer: Thank you for joining a Z T an independent series. Your hosts have been Elliot Volkman and Neil Dennis to learn more about zero. Go to adopting zero trust.com. Subscribe to our newsletter or join our slack community viewpoint express during the show did not reflect the brands, employers,

Catch this episode on YouTube, Apple, Spotify, or Amazon. You can read the show notes here.

In the world of cybersecurity journalism you can broadly split it into four competing forces: reporters, communications teams, researchers, and readers. Each requires one another to accomplish their goals, but at the same time, they all have very different priorities and goals.

• Journalists have a duty to inform the public about security-related events.

• Communication teams have a duty to inform the public about related incidents and research, but in a controlled setting.

• Researchers help provide answers to communication teams and journalists.

• Readers want to be informed of information that impact them, and their habits shape what kind of reporting is invested in the most.

This week we explore some of these dynamics by bringing together a panel representing comms, journalism, and research to discuss the game of tug-of-war during incident response and incident reporting.

Danny Palmer was a long-standing cybersecurity reporter at ZDNet prior to recently joining DarkTrace, Josh Swarz is the Senior Communications Manager at Microsoft focusing on threat intelligence, our host Neal Dennis is former NSA and has lived many lives around either keeping secrets or uncovering them, and myself (Elliot Volkman) that has been a reporter for two decades and works with Josh on elevating research at Microsoft Threat Intelligence.

Subscribe now

Episode TL;DR

• Cybersecurity communication requires a delicate balance between protecting sensitive information and informing the public.

• Internal security teams are typically direct, transparent, and cut out fluff.

• Journalists play a crucial role in translating complex cybersecurity information for the public.

• Transparency is important, but it must be balanced with responsible disclosure practices.

• Organizations should develop clear communication protocols for security incidents.

• Regular, transparent updates to stakeholders can help build trust, and ignoring them allows others to craft the story.

• Building relationships with journalists can ensure more accurate reporting of cybersecurity issues.

Producer’s Note

We are nearing the end of season 3, which means it’s time to start thinking about 2025. If you have topics you’d like covered or guests you would like to hear from, let us know in the comments. We’ll continue, of course, continue to work on our Zero Trust implementation strategy mini-series, but otherwise, Neal and I are looking forward to coming up with new creative concepts for you.

Understanding Media Dynamics in Cybersecurity

The cybersecurity media landscape is marked by tension between organizations protecting sensitive information and journalists driven to inform the public. During the chat Danny Palmer reflected on the challenges of selecting stories, emphasizing the importance of providing readers with information that educates rather than merely attracts clicks.

Palmer notes that the media industry is constantly shifting, with journalists often pressured to cover trending stories while maintaining nuanced reporting. The goal was always to report on cybersecurity issues that would genuinely benefit readers, not just rehash sensational figures that don't help understand or solve real-world problems.

The practitioner's role in this dynamic is crucial. Josh Swarz added to this by highlighting the delicate balance in communications where transparency is key. He discussed the challenge of informing the public without compromising security operations or inciting unnecessary fear.

The Responsibility of Reporters and Organizations

For Danny, a journalist's role was to sift through pitches, filter out misleading statistics, and focus on stories that truly mattered. As a reporter, engaging deeply with the cybersecurity community meant not just covering breaches but offering insights into how stakeholders could protect themselves.

Conversely, organizations must carefully approach communications. Swarz describes his strategic approach to balancing transparency with managing public disclosures. This involves internal discussions, understanding the implications of disclosure, and ensuring that shared information is both informative and responsible. For example, exposing information too early or with too much information can disrupt active investigations and mitigation efforts. In other cases, added public attention could impact ransomware negotiations.

Communications vs. Journalism: The Fine Line

A prevalent issue in cybersecurity communication is the balance between marketing and genuine information sharing. Organizations can tip this balance unfavorably by using alarming statistics without proper context as marketing hooks. This approach can lead to misinformation and undue fear, a tactic Neal Dennis strongly advises against. He emphasizes the importance of substance over sensationalism, noting that reckless marketing often erodes trust and potential business with analysts.

Product companies must ensure that narratives promoting their solutions don't become alarmist sales pitches. Instead, they should highlight authentic research and provide clear, actionable intelligence for users. Danny typically could sniff out these stats and request more source material before considering using them. Swarz and I functionally do the same with the internal teams to ensure accuracy.

Moving Forward: Encouraging Responsible Disclosure

This episode encourages cybersecurity practitioners and communicators to embrace responsible disclosure. Researchers and reporters should focus on insights that empower the community to act preventively. For those on the business side, storytelling should emphasize actionable results rather than exaggerating risks for competitive advantage.

As our chat reveals, while cybersecurity faces challenges from threats to public perception, diligent and honest communication strategies can significantly enhance the industry's credibility and effectiveness. As responsible members of the cybersecurity community, we must promote a balanced narrative that informs, empowers, and prepares. Or, as our friend DrZeroTrust likes to say: buy the dip, because public companies almost always rebound after an incident.

Regardless of impact, we have one call to action of our audience. If you are a researcher, partner with your communication team to help identify effective ways to share it with those that can use it most or you can always connect with your relevant ISAC.

Show Transcript

This transcript was automatically created and is undoubtedly filled with typos. As usual, we blame the machines for any errors.

Elliot V: Hello, and welcome back to Adopting Zero Trust, or AZT. I am Elliot Volkman, your producer, and today, more or less, going to be your host. Neal is doing actual cyber security work today, so we're going to have a little segment that you're probably hearing or heard just before this. But We're going to be deviating a little bit from our typical conversation about cybersecurity strategy, implementation and that many series that we have kicked off and we'll continue in about an episode or two that said, I'm going to introduce you to some pretty well established folks in the world of cybersecurity as it relates to media, journalism and everything in between and the little bit of the shift of dark side.

So that is where I'm going to Kick this over to you, Danny, real quick, so you have been in this space for quite a long time. I have really respected your days in journalism. You have now welcomed the dark side with open arms like Josh and I working specifically on the the cybersecurity vendor tech side.

But, maybe add a little bit of color shed some light on to how you enter the world of cybersecurity and then we'll shift over to Josh. Okay.

Danny Palmer: Sure. Thanks Elliot. Yeah, I, I said I was a cyber security reporter at ZDNet for pushing eight years from about 2016 to 2023 I found my way there through before that I was an enterprise general enterprise tech journalist before that I was writing about the video game industry so yeah shifted across in that path and I ended up covering cyber security because You There was always something, there's always something to cover and it was always, it was really interesting as, as well.

So I spent many years at ZDNet, which at the time was, had a very high focus on cybersecurity and, did loads of different things there, covered lots of major stories, went to loads of events. I think technically. When Log4j happened, I was one of the first reporters to cover it, because it happened on US time.

When I woke up in the UK, it was there, there, all having happened. So it was quite interesting there, having seen how Google decided that I was the authority on, on, on log4j or log4ge, whatever, whatever we're going to say that we ever actually decided what it's called. So yeah, I spent many years there as happens in the media world.

As I'm sure all aware, things are changing all the time. And during my tenure at Zadina, it changed hands to a new owner, which changed the way he wanted to do things. Eventually it there was a lot of redundancies. And we've seen a lot around in the media industry right now. Fortunately I had this role at dark trace of lined up already at the time, which is just lucky coincidence on my part where I have moved into, I've been there about 18 months now.

And one of the key parts of my role is I've established an editorial site for dark race called the inference, which is basically What I was doing at ZDNet, essentially in terms of writing long form features, analyzing and explaining cybersecurity trends. It's interesting because I don't have as much as the pressures as I had at ZD, for example, in terms of you need to get, X amount of stories out.

This week it's very much a long form process and it's it's been good. It's been good. It's been cool actually having there are many people who are, obviously I've known a lot of people from the cybersecurity industry from my time at ZDNet over the years. And It's been cool how a lot of people from there, be they, be they knew me from when I spoke to them for articles or when they did my sort of video and podcast series and that was the thing, how they've been happy to come across as well to this new project speak to me there.

It's it's it's it's been good and it's good to actually have it up and running as well because it it was It'd be it was it took a while to get off the ground But seeing it live and actually running has been really good And I I was actually able to show it off to people at black cat usa this year, which was cool And it was that was my first time as black at usa as well because yeah time as a reporter being based in the uk It meant getting out there was like a tricky a tricky thing.

So yeah, rambling a bit, but that that's my background there

Elliot V: and

dig into that a little bit more because you have both sides of the brain, the fresher aspect of it. I, I don't know, this is my form of journalism today. I don't have those holdbacks that y'all had as under an editorial thumb, which pivots us right over to Josh, who if you can see if you're watching this, but he and I actually work over and support the Microsoft threat intelligence.

Side of the house of a very large organization that has many aspects of security. But as part of that, that means Mr. Josh over here has a lot of visibility into threats, threat actors, shifting landscape, helping tell the story. But I'm going to let you cover a little bit about your background because you did not just walk into the doors of our group.

You have seen some of the largest publications been part of those largest publications. Maybe can I go from there?

Josh Swarz: Yeah, no thanks for having me and I have I have gotten into cybersecurity in a backwards way for sure. I actually start backing up even further. I started my career in politics. And I was working in Florida in the state legislature right out of college. These were during the Obama years.

And while the Democrats were in power in Washington, they certainly weren't in, in Florida. And that kind of was my introduction to, to working with many different types of people. And after politics I. Went back into school into grad school and focused my attention there actually on cyber security is when I wrote my thesis on Chinese cyber economic espionage met folks like General Hayden and other members of the security community.

And, and really dug my teeth into cybersecurity there. And it was actually after school that I then got into PR and storytelling. And it, I opened my career and really focused the first, decade of my career in, in cybersecurity public relations working for a variety of different agencies And a whole host of different cybersecurity companies from startups and Series A, B and C companies, as well as more established companies like Symantec and Verizon and their DBIR, of course, as well as more even more well known companies like Siemens and their industrial cybersecurity group.

And, and. really got to learn the landscape and also learn how to tell the stories to reporters like Danny who, who were on the other side of the aisle, if you will. And so it was, super interesting. Got to touch a whole host of Different aspects as it relates to cyber security.

And, I think it was the background in politics and working with, both sensitive and classified information that kind of got me prepped, I would say to handle this world as well, because it's very similar in many different ways. Most recently before joining Microsoft, I was at a big valley marketing.

It was there that we Worked with again, many different types of cyber security companies, some semantic and they're threatened threat hunter group to really interesting startups that are doing groundbreaking work and Internet security from island and the enterprise browser that they're, they're working on as well as some VCs who are funding the cyber security community and got to see, everything from a high level and, the, the storytelling opportunities are endless.

Here at Microsoft, we touch the, obviously everything. The, the telemetry we have is unparalleled and. I've been here since February. Been recent recent move, but it's been super interesting work talking about some of the biggest threat actors in the world and then finding that balance as well, where, obviously journalists are after everything and, not something that, We can always disclose, but finding that balance to make sure that the story is still something that resonates and gets out there to both customers and, and the industry at large, but also the media is satisfied and, and, feels like they, they've gotten something as well.

So the, the role here as senior communications manager, working with a threat intelligence team. Is really to find that balance and, and also make sure that the right stories are being told to the right audience at the, at the right time.

Elliot V: Yeah, so you nailed the topic of choice here, which is there's probably a few ways that we can do this and I will do my best not to get you in trouble just so that I don't get in trouble looking at this Danny, you're a fair game. I'm going to terrorize you the right proper way. But yeah, so this is primarily going to be a focus and a conversation of the media landscape as it relates to cybersecurity threat actors and since and everything in between.

So I want to maybe highlight a little bit of a challenging and hot button. Approach and Danny, I don't know if you caught this session at black hat, but this is the inspiration for this actual episode. But there was a, I think at least one PR person might've been to like PR comms person.

And then there was a couple of reporters on stage, basically trying to just hash out like the relationships they handle things, especially. With a threat actors knocking on the door reporters and abusing some of that relationship and all that nature. But that was the background for this conversation.

And I have ulterior motives as well, where I've got a bone to pick with the current media landscape of why on earth are we over indexing on. The amount of incidents when it's not, anyways, so we'll go from there, but maybe Danny, I'd love your perspective having, been under that editorial thumb of you've got to move fast.

You got to publish information that gets readership and clicks. But what did that look like from the journalistic perspective from the editorial side? Like, Where was maybe the priority and how were y'all communicated against covering these kind of situations? And then we can pivot a little bit further of dealing with threat actors knocking on your door.

Danny Palmer: Good question. I missed that session actually, as I, I guess with the change in our meetings at the time that was happening, but I had a back at ZD. I had free reign pretty much over what to cover. And I obviously picked out what I thought was interesting. I obviously part of it was thinking what would get traffic to the site, what people wanting to read There was an element of no big breaking stories.

You think, okay, need to cover this. Of these, I guess my biggest example of, this needs to be a thing I need to cover. It was back when obviously WannaCry was a massive, great, big deal for everyone. That was one of the nights I was actually working quite late into the evening.

Sort of, covering, cause it was constantly changing updated story. And then I think it was overnight, a patch went out, so I was just, okay, I spent 10 minutes on Saturday morning. Writing. Okay. Here's a patch for this. No, I saw my role to educate, inform, and provide information on what's going on.

Again, story I wrote in about 10 minutes. Loads of traffic, loads of things like that. Cause it was just like, I wanted it to be out there to the party for the, no, I thought it'd be interesting people, but for the views as well. It's interesting to have when picking what to cover, that was always a challenging thing.

Cause I'm sure you can imagine. I've got pictures from so many different agencies, agencies and companies asking, Oh, do you want to cover this? A lot of the time it's, it was tricky to choose because there's so many interesting things out there to, to, to potentially cover. And I was only sort of one person on, there was obviously a wider team of ZDNet in terms of the cyber security beat.

I was what sort of the sort of for a time sort of the one person in the uk focused on that. And it basically came down to what, yeah, what was gonna be an interesting thing people wanted to hear. We had the idea in the, in the sort of the newsroom of what the story you'd want to tell your friends down the pub about, what, what, what, what, what's an interesting thing that has happened?

Little things. Like obviously phishing attacks are big, major things we're all, we're all aware of. But it was more than that. So you see, you saw something phishing campaigns where there was a particularly interesting spark in that a different thing that would be the, the goer on there.

And I think some of the stories that I really liked covering back at the time, which was sometimes quite difficult to get. When people talking to organizations. Who had suffered from cyber attacks and cyber incidents. Obviously a lot of them don't really want to talk about this at all. I've had times where, and I've called up, I called up companies who are being hit by a ransomware attack.

They go, how'd you know it's ransomware? It's, it's got all the signs of a ransomware attack, let's say. But yeah, some of the. Most interesting stories that I really enjoyed doing were speaking to these people who recovered from attacks because speaking to a, a construction company who suffered a ransomware attack and how they went about recovering from it.

They didn't pay the ransom, anything like that. And it was really, really interesting to get that insight into what's happening,

Josh Swarz: one

Danny Palmer: to tell that story and showcase it to everyone else. Cause the CIO I spoke to basically said, I don't want people going through. What I went through. I want to spread the story and say, make sure you're not ashamed.

Because there is, there's still a bit of a,

Josh Swarz: You

Danny Palmer: companies which really open out what happened. And there's the companies and organizations, which basically what happened. I won't name names, but there's a prominent organization in the UK, which did suffer a. ransomware attack a few years ago, and in their official documentation, they've still never referred to it as a ransomware attack, which is interesting.

The National Cyber Security Center has, they haven't. But yeah, there's always a lot going on to choose from. And then it was always really interesting as well. Cause when I, when I did the video, video and podcast series, it was quite interesting. People started pitching that to me and, it was something that's quite bizarre, looking at the people I was being approached by, all these ex NSA, FBI guys, ex CIA, even being at events having guys from GCHQ or NCSC approaching me, wanting to chat to me, it was really odd.

Really cool, but really odd, when you only think about it.

Elliot V: Yeah, I can imagine there's a lot of interesting characters there. And Josh, I know you definitely have seen your fair share. So I think one thing that I do want to call out is so you are you, you hit a specific item, which is a core piece of this conversation, which is. As a reporter, you have a duty to inform the public about certain things, especially if it's a widespread incident attack or something of that nature.

On the organizational side, they have a duty to not release too much information because there's probably an active situation occurring. An over sharing of information could impact the public. The, the response to it there's obviously other sides, like brand reputation, all that stuff. But which we're not going to touch that with a 10 foot pole for the sake of everyone's sanity.

But Josh, I'd love a little bit of insight from your side. Josh, You and I deal with this quite frequently, but where do you see or strike the balance of the philosophy behind innocent? No specific example, by the way, just when we're getting knocks on the door, not at our current company for the sake of this conversation how, how do you approach that?

Is there a level of transparency? They come to the table, they have certain information. How do you balance that out? While protecting what you have to protect, but also recognizing again that reporters and journalists have to inform the public and tell the story.

Josh Swarz: Yeah.

certainly unique, ultimately, they're sometimes lives at stake that or, governments that have to be dealt with or informed. And obviously, most importantly, especially from an organizational standpoint, you have customers.

That you're trying to protect and notify in a timely manner. And all of that is balanced with the, with the other side, which is, storytelling and letting the media know answers to their questions as well as, informing them, when you're able to and the balance that, that is struck is, is a delicate dance.

I would say that it is always evolving and changing. Oftentimes, you want to ask yourself how will this affect. This group or that group. And also, will it be interesting? And will the media want, what will the media want to know? And so when we're, talking and prepping with our, subject matter experts, oftentimes we try to, go to them and say, look, what is the story?

Let's get the full story out there first and see what, what this is all about. And then oftentimes it's, it's, Trying to focus in on on the key points of information that will resonate with the audience while also protecting the information that needs to be protected. Certainly not something that comes easy to many people and takes practice.

But, the another point that is important to remember here is that, you're dealing with people. Everything here is, it's a person to person business and reporters have a job to do, us folks on the on the PR side of the side, also have a job to do. And the the magic happens where, where the 2 overlap and, you, you try not to view the other as anything but doing their job.

And, and when, dealing with folks like Danny when he was at CD net or, or other reporters, they are, ultimately they're trying to tell a story, but they're trying to gather information as, as they need it. And ultimately, Not coming at the story from a combative or a defensive stance helps know you want to, you want to be open and transparent.

And sometimes the easiest, sometimes the easiest answer is the best answer, which is, I don't know, I, I'm learning this in real time. I, I'm, I'm hearing, things in real time reporters respect, I think, and Danny, feel free to jump in here as well, but I know reporters in my experience have, have always respected, being able to, when we're, When PR professionals are open, transparent and provide information and updates, in a timely, real time fashion versus deflecting and, and sometimes, coming at things from being evasive or, or, or, just flat out, unresponsive the dance goes a lot smoother usually when you are open, transparent and, and, tell them in real time what what you're able to share. They understand especially security reporters. I think they're a unique bunch and they aren't, they get it. They understand that there's things that just can't be shared. So I think it's striking that balance. And in time, you learn where where that line is.

And while it is a dance that happens every day, you just, you take it 1 step at a time.

Danny Palmer: Okay,

by a cyber incident, it was my job to call them and ask what's happening. I also felt bad about it because they've got enough on their plate already without sort of me calling them up, but I wasn't like trying to do a.

You idiots, what's going on here? It's okay, you've got this incident that's happening. Is there anything you can tell me? Just because I, I have a, just, I have a duty as a reporter to, write about this, major incident. And A lot of the times organizations, even if they couldn't tell me information straight away, later on they were, they'd be able to tell me more, especially, when I was hopefully polite on, on the phone and things in those first instances.

And, and I'm also, yeah, very, very aware that there's only so much that can be shared. I I'm aware that, in terms of any incident or cyber attack or threat group, there's information out there, which, cannot be made public because it might put, people, businesses, organizations, sources research at risk which was something that was always on my mind.

There's plenty of times where there was a lot of interesting stories where I'd report on a security company, X, and put out a report on this incident which happened to an unnamed customer. I guess in an ideal world, we wouldn't name the customer, but Usually these stories were very, really interesting.

So an insight how these happened. So years ago, I wrote a story on how a vendor power report, how one of their customers was compromised by one of their employees using a laptop in a coffee shop. And, and basically sort of the, the traffic being intercepted. And that story, it wasn't, it wasn't about who did the attack or who was affected, it was about.

Here's a thing which could happen, which I think was the main thing I was trying to portray when I was writing these articles. Here's a thing which happened, here's why it happened, here's how you can avoid it happening to you. Which was, I always felt was a really important part of what I did to try and put that information out there to say, Hey, don't become the next victim of this.

Which is something that I guess know as, as someone's working for a b it was working for a B2B Tech website, it felt yeah, my duty to, to do that. So my, my, my audience would've been people work in the sector. So I think I was writing for people who had, a bit more technical knowledge than your average human, which was both a blessing and a curse in some ways, because they'd ask, you'd see comments asking for what is this thing that happened in this?

I don't know. I don't, the company hasn't told me what's happened there. I'm sorry. Or, or what the other ones are. Why have you mentioned that this particular operating window was hit, operating system was hit? Because it was the system being used but yeah reading the comments in any any line of journalism probably is a Something best do in moderation.

Josh Swarz: And I'd say that's it. That's a good point that Danny made. Oftentimes the, the simplest thing is the most challenging, right? What we're trying to do is take very complex information that that can be pages long in, in, in both technical detail and oftentimes try to, Really convey that to journalists and their audience within, a few sentences of this is what happened.

This is why it mattered. This is who it affected when possible. This is who it affected. And oftentimes the same approach that Danny took, which was excellent is the same approach that I feel like needs to be done more, which is, this is why it matters to you. The reporter, but ultimately, this is why it matters to your audience.

And this is what they need to know to stay protected because, the news is happening so, so quickly and these attacks are now coming. Every day, every day you hear of a new, new cyber attack and a new breach, and oftentimes, I know. Reporters like Danny are trying to convey how to stay protective, and what their audience can do to both protect their organization and themselves.

And challenging part really is not necessarily, sharing that information that can't be shared because journalists oftentimes know that, it can't be shared. The challenging part oftentimes is, what can be done to protect it. Yourself in the future without obviously being too promotional of the of the vendor that you're representing that that dance and coming at it from a thought leadership standpoint and with facts and point, interesting points of view that's, that's where the that's oftentimes where the magic happens.

Elliot V: So Josh, maybe we pivot a little bit. I want to try not to jump on my personal soap box too much, but I do have a bone to pick with organizations. And I think fortunately you are in a position where this is never going to be a problem because there's endless amount of Intel and research that comes out of your world, there are for the smaller security vendors in particular, they obviously have to do whatever they can to create narratives and stories that will get press pickup And again, this is outside of your world today, but I'm curious how you look through like that lens of risk and impact to the cybersecurity community at large.

So if you're working in a smaller org, you have a new novel incident that has come across your plate, but the probability of it doing anything or the impact as it sits today is incredibly low. How do you, how do you create that balancing act? Because you, you have to represent the organization.

And again, this is not representative of where you are today. But, how do you, work with that? Is that like a, will you push back on internal stakeholders? Or do you try to provide some guidance to the reporters who, at that point, take the story and let it go wild? I'd love to know how you create a balancing act or how you balance some of those, stories.

Josh Swarz: Sure, and, coming from that point of view, oftentimes when you represent smaller cybersecurity vendors or stakeholders, they are just trying to stay in the conversation. And so the balance in that. Shifts quite differently than when you represent, a Verizon writer or an IBM where they obviously are already in the conversation, but then they're trying to protect information or or might not be able to share as much as, as they, as they would like when the balance, when, when working with folks that are in the early series, oftentimes what we try to do, the balancing act takes the form of, point of points of view.

And and, whether that comes from, a bold statement or a CEO that's willing to go out there, if you will or whether that comes in the form of, an interesting stat or survey that they've conducted and have, unique insight into, but, On the flip side of things, you want to also make sure you're always adding value to whatever story that you're working on.

And when working with publications, I know folks like Danny often appreciated when the value add would come in form of in the form of a great quote. And you work very closely with your stakeholders and the internal folks at, name your organization to develop that and to get those quotes out there.

Oftentimes that does not come easy. Obviously, executives are oftentimes think thinking of either product or, are so new. Internal facing that they lose sight of what the larger landscape is caring about. And so when, striking that balance, we would oftentimes at past firms, at least spend time with executives, spend time with the folks on the ground that are also, Directly involved in identifying the threats that they're seeing.

And, instead of probing them on, how this is the biggest value add to name your company they, we would try to probe and poke a little bit on, how this affects the industry, how this affects the larger cybersecurity landscape. And, and by doing that, we would be able to unearth really interesting points of view.

I would say that, is a strategic advantage that some, smaller companies have over larger ones where they're able to share more and be a little bit more open with what they can say versus, when you're, when you're larger when you're working with larger companies, they tend to be a little bit more reserved on on what they can say.

And and then, working with folks like Danny and other journalists that, are telling those stories, they oftentimes appreciated when, we could give them a quote or a data point that no one else would get. And and. Oftentimes that was enough to strike that balance that, you're still delivering the value add.

It's not while not just promoting, straight out, whatever, product or gizmo, that company produced.

Elliot V: or clickbait too.

Josh Swarz: Yeah, all

Elliot V: Yeah. So I, there are a few items that I want to emphasize and bring additional attention and only because I can abuse this as a soapbox moment. And I'm going to make a little clip and put this on LinkedIn to yell at some people, but there's two sides of the coin. That I want to reiterate again So there's our cyber security community and then there's like the humans at large or end users, maybe but in or through that lens of like our cyber security audience We're not looking to create havoc and chaos because if we're looking at a smaller organization They find a smaller Vulnerability or incident, and they want to put a little bit of too much energy behind it and start report pitching on reporters.

What ends up happening is to the cybersecurity world our listeners in particular, they are then going to get emails from their CEOs, their executives. Is this thing important? Do I care about this? Why is this getting coverage? And that is the nightmare that I think is like plaguing the like media landscape for cybersecurity.

But that means internally organizations content creators and whatnot. I think There needs to be a lens of information that needs to be delivered with that if they're going to try to highlight some of these kind of unique vulnerabilities and stuff of that nature. So that was my soapbox moment.

But again, I, I think there is value in highlighting unique and novel. Elements, but there just needs to be this. other piece that comes alongside with showing how much impact this is, how probable it's going to have so that people in the cybersecurity world don't get those emails from executives and board members of why on earth are we not protecting against this?

Is this hitting us or our customers? And then it's the same story every other week in and out. Incidents are a little bit different. They'll just read it and gloss back over it, but it's usually the vulnerabilities, which are Just a concentrating a bit of an issue. So that is my soapbox. I'm now off it, but yeah, I don't know if you have any perspective that you want to add

Josh Swarz: I think, that's from a PR perspective. That's every PR professional's worst nightmare, right? Like, why aren't we in this story? Why, what about this? What about that? And oftentimes, that can lead to, journalists Kind of their, their complaints about, whether we're ambulance chasing or, just promoting for the sake of promoting, that it's a slippery slope because oftentimes, when there are that when there are those types of internal pressure You have a lot of the, especially the junior folks at agencies, under quite a, quite a bit of pressure to deliver something.

And that's when oftentimes that something takes the form of hey, this cybersecurity instance just happened. You want us to comment too? And it doesn't really have any context or, or, anything. That provides value add and everyone becomes miserable. So I would agree with your soapbox analysis there.

But what I would say is again, striking that balance, right? Pushing back from a PR perspective on executives when they ask, why are we not in this? Or, why, what else can we do to, to, get in front of this reporter or that reporter, they're, they're conversations that need to happen up front, and, and why are you doing this?

Who are you trying to reach? What audience are we trying to most specifically target all those pieces of information kind of ladder into the, the generic email of like, why didn't we get the Wall Street Journal? And I think, that. Oftentimes, we'll nip it in the bud because then you can focus your attention on more pressing stories and, and align internally.

Okay these are the things that we want to focus on. These are the stories that we want to promote and oftentimes that will, will lead to a more cordial relationship with reporters. Okay.

Elliot V: for the sake of our listeners, it looks like Danny had a little bit of a connection issue, so unfortunately I'm gonna lose that perspective of our conversation unless he chimes spin chimes back in. So otherwise it's gonna be the Josh and Elliot show for the next few moments and we'll go from there.

But that's Josh, I did want to poke at a couple other items that are tied to the media landscape, so you are privy. Very specifically to a lot of intelligence that the world wants or sometimes needs to know about. And we are constrained realistically on how we're able to do that. So reporters obviously will knock on our doors.

But do you feel like there are other communication channels to activate that information so that there are early warning mechanisms? Or on the flip side, if that's a little bit of a touchy subject is do you feel like there are mechanisms from a comms perspective that you can push internal stakeholders say we should release information sooner because it will help disrupt an attack or something of that nature?

Josh Swarz: Sure. From an intern, from a coms perspective, there are multiple channels, right? PR is obviously 1 of them. And it's, my bread and butter. That's what I eat and breathe. But the media is only really 1 stakeholder in the larger picture. You have social media and, obviously the Both X and LinkedIn are, are two vehicles that, should be used when, when appropriate and, and are instantaneous, you're getting your information out to the world immediately.

Blogs and, and the rise of, blog content, every, working now in the industry over the past 10 years, every company has a blog, whether, whether the value add there is there that's a, that's a kind of a different question. Sometimes they can be a little too inward facing.

And folks like Danny now on the as you call it, dark side are working hard. I know I'm trying to fix that and running blog publications to be more external facing and not about. Product X or not about company News X, but more about point of view on, name your threat or name your nation state threat actor.

And that, I think, has helped a lot to ease the pressure. And make sure that, information is getting out there in a timely fashion, because I know reporters also have tuned into the RSS feeds to many companies, blogs where, for instance, here at Microsoft, when things have gone public, sometimes we will get inbound requests on those blogs before, before we even have a minute to breathe, right?

Like we'll hit the publish button and five seconds later, Danny's replacement is, is, emailing. What about this? What about that? Here, here are a list of questions. And so those vehicles, I, I think have become really important to the, the security community because, in, from a security community point of view and, and strictly from their audience.

I know there are many, chat groups and blogs and websites that are, are visited frequently to make sure that, in critical information that needs to get out to the larger community is out there in a reasonable timeframe versus, what you might read in a Wall Street Journal article, right?

Or what you might see on NBC news. That's more digested information that you know. Has been obviously put out in a timely fashion and shared with reporters when, when able to share, but, might not be as extensively technical simply because the constraints are within the media as well.

It is a 2 sided coin and when oftentimes, you can't go technical with most reporters. That's just simply, a fact because oftentimes those stories can't go into the weeds. They only have so many columns and in, inches and, even on a, a long form feature piece, There's only so much you can say verse when you have an own blog the sky's the limit.

So those are, at least a few different vehicles and channels that I know we certainly keep in mind when, when trying to get critical information out there. And it, it is a balance. Oftentimes, the, the critical and sensitive information can, can be impactful, both from a company perspective, but from a personal perspective, too.

The threat researchers, they're doing, they're doing very, very sensitive work. And oftentimes, the biggest challenge, from a PR standpoint is, sharing their stories and their research, but while also keeping in mind that, details about their personal information as well as about, certain aspects of their work just must, must remain hidden to protect them And it's

Elliot V: The activation channels is like the short answer is where I'm going with this is. I constantly the curse at Reddit and all that, but like people will constantly ask, like, where do you get your thread until, where do you get your updates and information?

And the short answer is where I was going with this is there's two pieces and Neal will yell at me if I don't answer with the second one. So the first is obvious. There's obviously a shift in the media landscape where there's less investment energy and being able to support. critical reporting on cybersecurity issues and elements of that nature.

There are organizations like Scoop News Group who are investing in it further. So I, I love that and I appreciate that. But that means that as cybersecurity community members for us in particular, being able to be champions internally to tell, Our powers that be, we need to be able to tell these stories, be able to provide technical information that expands beyond what is being covered.

That is certainly 1 piece. The other is from the other elements of the members or listeners. You unfortunately have to go to the vendors, the researchers, organizations, and. You can get Feedly or some other RSS feed, read the reader. You can even put up Googlers, whatever you want. But that is the short answer of like today, the media landscape is covering, certain things that get most read.

But if you really want like information, Intel, unfortunately, you just need to get as many resources as you can chuck it into an RSS reader. And that'll, that'll get you part of the way,

I think the 1 thing that I can ask of our listeners, if you are an analyst, you work in the sock, you work with third until whichever meeting that you have. I'm sure you got a comms or a marketing person around go knock on their door when you have an interesting story to tell.

I'm sure they would be giddy or excited when you're like, Hey, I've got this thing. Let's tell the world about it because there's not enough of that really being published because as you had mentioned, there is a D investment. A large swath of media brands. Now, there are obviously some that are doubling down to fill that vacuum.

That's one piece. The last one, which is where Neal would yell at me if I did not highlight this, is there are ISACs and outside of the U. S. in particular, there are certs. There are organizations designed for closed door threat intelligence sharing and even if it's not at that threat intelligence, it could just be IOCs and stuff of that nature.

Join them. I'm pretty sure there's one for almost everything including, Josh, mute yourself in your ears so you don't hear this. For Weed ISAC, there is one of every flavor of industry that is out there,

This is a little bit weird, but we are taking a tiny break in the middle of an episode with the magic of editing to now include Mr. Neal Dennis, who was unavailable for the first half. Also maybe had a little bit of technical difficulties, but again, magic of editing, you would never notice.

I just like to be annoying and that's where we are. So picking up maybe where we were last chatting we have Danny who is over at dark trace, he has been a fantastic voice and reporter in the world of cybersecurity prior to that is since moved over to the dark side and that is where we're going to pick this up.

I apologize in advance. It's likely that we're going to pick back up or talk back over some questions that are already asked, but that's totally fine because now we have a little bit of different perspective.

So let's just jump in. The setting that we're going to lay out is again, this is definitely going to be repeating a little bit of where we are, but the two sides of the coin. So from a reporter or journalism perspective, they have a responsibility and duty to help inform the general public, their readers, to consume information.

Now there's two lines of thinking. There's like the, we need to make money side and we have to be fast and first to report on that information. But On the opposite side, they don't have the level of information, intelligence, and data that comes from within an organization. So an organization's obviously going to be a little bit more tight lipped about it.

There's an investigation in most cases. So let's go from there. Danny, you literally have lived in both sides of this equation primarily on the journalism side, but how do you, how do you balance some of that when you're trying to pull a story out and try to inform the public, now that you're behind the walls, you also have to understand that there's a bit of a brand that you're trying to protect its reputation.

Danny Palmer: Yeah, that's an interesting question. Thanks Elliot. I suppose one of the things for me is I'm fortunate in a way that I don't really deal with sort of news per se, as it is not a thing. I, I do the stuff behind the scenes at Dark Trace. I also do the public facing things for the, the inference.

And I suppose, yeah, one of the things I think that I don't really write about. No, the company itself, as it were. So for example, I, I will write an article about, let's say I write my article about business email compromise. I will have a perspective from someone in the company in there, probably, but I'll also have external perspectives as well.

So is it on your points? I am seeing a lot more. than I used to see. When I was a reporter, I obviously had a good reputation of lots of cybersecurity companies who happily tell me lots of things, but there was always that sort of thing where you get to a certain point and they won't tell you anymore.

Obviously now I'm internal somewhere, I see a lot more and I I have to no one's told me do not share this information or that sort of thing, but I have to make my own decisions and take into spec, what, needs to be out there, what, what, what doesn't.

And obviously, if there's an interesting thing that wants to be out there, I'll, I'll try and push for it. Sometimes I do speak to customers about things, interviews of sort of CISOs and that sort of thing. And we will talk about that. incidents or issues they are, they have had, which can be really enlightening because it's all that way.

It's interesting coming that from a new perspective as well. Cause when I was a reporter, people, even if they were approached to me, I don't know, this is a case study of a company that's, for example, company Y helps this company recover from ransomware attack. Sometimes the CISOs were really open, would tell me everything.

other times you could tell there's a bit of hesitation on, on their part. Whilst now it's I don't so much talk about, yeah, those sort of technical things. I, I really, I won't really speak about, specific things and incidents, but the more general, I'm working on a piece right now, I've spoken to a CISO of a major company, and it covers a lot of different issues, but lots of it is around How they're adapting to things like cloud ai, how they're upskilling people.

It's more of a sort of thought leadership conversation rather than a here's an instant we had and here's how we dealt with it. There are, there, there are examples on the, on the company website where there are the CISO source speak, oh, we, this, the company know detected this email, this stopped that, et cetera, et cetera, et cetera.

But, yeah, it's, it's I'm closer to where the sausage is made, I suppose is how I put it but I can't quite try to try to finish this metaphor here, share the sausage around so much, so to speak.

Elliot V: Yeah, that makes sense to me. And you you're now what I would call a double edged sword only for fully biased perspective of I have the similar of we've been in the shoes as journalists where you're have limited information. But you're able to now understand all that pushback that you got before is exactly what you can apply in the business sense to like, withhold or constrain information until it's ready to be released in whatever format and in the most correct platforms.

So that's where I'm going to shift over to you, Neal. You being in many different shoes, some in some of the more secretive of natures. How, how do you handle some of that information when there's requests for it? Yeah, let's just throw that out. Very open ended. Okay.

Neal: Yeah, I, I don't know how much it remembers outright about where I got my started on the commercial side, but my first non government job was building an Intel offering at a DDoS mitigation company who had a very sizable malware forensics company, just as S and G's. They did it for the fun of it because they had the resources and it was a value prop ad.

So is anything at a company that, where it's not your primary bread and butter, that value prop has to be very public and very forward. So these forensics guys did wonderful things, better than some people I saw at NSA and other facilities. Like these were very top notch guys. My job was to take that data, make heads or tails of it, be the intel analyst with it and connect dots and do all the fun stuff, additional research, pivot, so on and so forth.

But because I was also one of the primary authors of that data. That also meant that when it was published and usually it was tip of the spear type things is usually first to market awareness on a particular thread or very for both secondary stories to the first market stories that were available. So I spent a lot of time in the first 2 years of my non government career talking with reporters.

Talking with various news agencies and all sorts of things. It was a very surreal thing for me to go from being secret squirrel and not having, not needing or being able to discuss my job publicly with anyone to now magically everything's out there. And I have to figure out how much of it is guilty knowledge from my own personal perspective.

And how much of it's actually the research that led me to those assumptions combined with how much of it, once again, can I blatantly put out there in those products and when I'm discussing those products externally. So it was a weird balancing act for me to get started. News reporters will ask you a million questions and first time doing that type of stuff.

I want to give them all the answers. And then second time doing that, I realized I shouldn't have given them all the answers and realize what's going on out here in the private sector and how that impacts things. And I was very fortunate. None of the stuff I ever divulged impacted any ongoing, knowingly ongoing investigations.

And so that that was the perk there, but it morphed into a lot of things. It went from. Engaging reporters and doing all this other fun stuff with them to being a normal content research guy and doing my own thing and purposely reaching out in some cases to contacts. I had because I thought things were critical or important.

So it was all about relationship building. And finding someone who I could have the right boundaries with, who understood the dynamic was, I'm going to give you this nugget and that's all you're getting today and here's why I want to give you this nugget because I'm hoping it's going to get me more nuggets privately kind of stuff.

So that relationship was very key for me. And then, yeah, it's morphed into other weird things since then, but it is a weird world to go from, from all that classified data and then literally the next day be seeing the stuff in the private sector that I'd been tracking for years on the other side of the coin.

Elliot V: Yep, that is, that's a interesting point and it actually is gonna bring this full circle towards the inspiration for this particular episode which is at Black Hat there was essentially a conversation of a similar nature. However of similar minds, at Blackhat, third party or independent researchers, external research, external research, my god, words, hold on, I'm editing myself out because that was real bad. At Blackhat, you also tend to see third party or independent researchers release information, That is of a similar vein of what I think you're just discussing there. It is, you have the capability and insight to pull some information out, but it doesn't directly impact you or your customers. It's a sort of like a nicest way.

And I hate to say is the uglier term is basically a marketing park to be able to. draw attention to your expertise and information at the expense of other people's mishaps.

Neal: Are we still hoping to go talk at Black Hat?

Elliot V: That is the

Neal: I open my mouth.

Elliot V: They do approve all these, if not DEF CON.

Neal: my, my problem with, yeah, Defcon, my, my problem with Black Hat is they, they kowtow to sponsors regardless of the research. And I get it. They got to make money. This was, this happens probably once every handful of years. You get a Lawsuit pending against a particular presenter.

And it's usually, it's usually not a guy who's doing this from the auspice of a company he works at. It's usually as an independent researcher presenting fun stuff. And then Black Hat gets some kind of a pending lawsuit action against them. So then they have to go against the guy and then the guy just goes, fine, I'll present it at DEF CON.

, yeah, that, that's, that's that thin line there of, are you just trying to sensationalize stuff? Is it legitimate or is this things that you are truly, truly worried about? And this is a good platform to get it out on. My personal opinion real quick is if you're waiting to black hat, you're just sensationalizing crap.

And you're just trying to get publicity for publicity's sake. If it's truly matters to you to get it out the door, then you would have already done so, and you would be asking to present your findings as published. At Black Hat instead of waiting to publish at Black Hat.

Elliot V: That's interesting. Actually, Danny, I can pivot over to you because I'm certain you've covered similar situations where either people are trying to hold information or trying to use you as a vehicle to deliver that information. How did you go about navigating those situations?

Danny Palmer: The black hat point's an interesting one. So as you said I covered cybersecurity all year round and suddenly you'd get a million pictures in your inbox about, various things. A lot of it was interesting, but I was only one, one guy. There's only so much I could cover, especially, I was, I didn't actually get to Blackcap USA when I was a reporter based in the UK.

I did actually get to go there this year for the first time, out, with Darktrace, which was really cool. But I always thought, I always told people that if it's a really interesting thing, you can tell me about another time, that isn't around Blackout. Tell me, a few weeks beforehand or a few weeks after, during the event itself.

There's only so much going on. And sorry, what was the question again?

Elliot V: I think it's, that that is good context. I think to align it a little bit further. It's just about how you navigate when. It's very clear or pretty evident that the researcher coming to you is basically just using you as a vehicle for their own self promotion, instead of, helping inform the world in whatever capacity is helpful.

Danny Palmer: Yeah, I, I, I, I see what you're saying now. Yeah, there's always a really interesting ones. You'd say, you'd see something like For example, just a, a, a theoretical example, you'd get some research say, oh, we've discovered that, two thirds of organizations around the world have been hit by a ransomware attack in the last year.

And I look at that stat and go, that's, yeah, that's a sensationalist stat. I think if two thirds of orgs have been hit with ransomware in the last year, society had collapsed by now, I suspect. So there was always this sort of thing where, I guess I had a BS radar going on in my, going on in my head, where I think, as mentioned before, I don't have any sort of technical background or anything, but I've been covering cybersecurity as my sole beat for, by the time I left ZDNet, seven and a half years, and I had a few years covering it, as a more generalist reporter before that.

So I had an inkling of what is, a sort of a reel for inverted commas story and what is just stat peddling, which I've see, you see a lot, I got very heavy in, in on that and seeing, it's sort of like saying, Oh, this is the things happen. We've seen X amount of this thing happen, which is developed by the PR marketing teams rather than guess the researchers them themselves.

And I'd usually find with these reports, even if they had some, bizarre headline grabbing stats at the front. I'd always find, so I did take the time to read these reports and papers and things. There was usually something interesting deep in the middle of the report as well, like something that wasn't flagged.

But say, for example, I remember a really interesting story by a company which sent a big, so it was in their annual report. They had an interesting story about how an organization got Breached because someone, an employee was using their work laptop in a coffee shop where the sort of wifi was compromised, et cetera.

And I thought I was really interested in human story as it were. So I was more interested in the human side of it, rather than here's how it affects you. If you're saying, oh, two thirds of orgs have been hit by ransomware. That's not helping anyone really.

That's just I guess it's that sort of that sort of FUD thing that is the sort of things about where a lot of, it's a weird thing where a lot of cybersecurity marketing in some cases relies on this sort of, the bad guys are coming to get you, watch out while the maybe the researchers and analysts are not so much about that.

Neal: Yeah, I think the bullshit stats is a great call out. There's only a handful of corporations and entities globally that have what I would consider enough insights to make a claim that X is impacting Everyone kind of thing, or a percentage of everyone. And even then those companies are usually very smart to caveat it as, it's from our perspective with this amount of sensor space, which is a good representative data spot for them.

And obviously not to sales pitch people, but Microsoft, CrowdStrike, Google, some of the big companies with their server spaces and other things globally as well. They truly have a sensor grid that is fairly comprehensible and does that. So if they come out and say two thirds. Depending on what it is.

Then I'm more inclined under the auspice of what they're trying to claim the data set is to believe them. But any other company comes out, I don't care who you are. I, I saw a report that very similar to that. They were like 60 some percent of, of entities had had a breach around, the last 18 months or something like that.

And then you go and you read it and it's the Verizon D bears. It's, it's a self reported response. And it had 200 people. Or something ridiculously small Oh good for you. You, you put a Google spreadsheet out there and got a survey response. And two thirds of them responded probably because they were angry with their company.

And now you're saying that's a representative dataset. It's hilarious stuff. And, but you're right. It's sensationalism. When I was writing those products back in the day, when I had to have a really good conversation, heart to heart with marketing, And then my CTO also had to come down and talk to marketing and they were allowed to obviously use those as they should for, for promotions and things like that Hey, look what we wrote, look what we did publish between these channels, spin up news, things, all this other stuff, but they weren't allowed to rewrite any of the taglines or any of the subjects that I'd put out, or that we as a team had reported on in general to do anything whatsoever.

So if we, whatever we put as the impact statement. That impact statement had to stay. And so I was very fortunate with my CTO standing by that to where marketing wasn't allowed to go over the top of that. Oh my God. Look at this new threat after doing X, Y, and Z. They're going to come after you and kill you.

Buy stuff, buy stuff. Very, very lucky in that. It also didn't hurt that I was working at a company that Ultimately had very little ability to, to impact that type of stuff outright on a grand scale. That wasn't their primary product offering. So made things fun. Yeah. Sensationalism is a big deal and learning lessons on how to talk with individuals, reporters who are especially net new to that and give them the right lines and make sure you're not misquoted has always been an issue.

Elliot V: Yeah, I think that's a good point. And speaking from someone who is within the walls, you hear the dogs barking. You probably can't mute. All right.

Neal: cocks go off outside. I have chickens.

Elliot V: Oh, and the baby's crying. This is trifecta. All right. The magic of AI will be at this. All right. I'm editing so many buttons. So speaking very vaguely as someone who has or currently works within one of those large organizations, there's also the wrath of legal teams and researchers who tend to take precedence over any kind of marketing material.

And I can just tell you it lasts like 48 hours. I. Copied and paste a piece of information without context, and I saw that wrath firsthand firsthand. It is an important control mechanism. So I'm just gonna throw that out there. But anyways, to sum up what I think I've heard, and I think it depends on who we're aiming this piece of information at is from a media perspective.

If you're seeing some of that kind of iffy information, maybe ask that organization to speak to the researcher behind it and see just bypass the PR and marketing folks to get the real information.

Neal: I'll tell you what, as a consumer of products if it's, if it's a sensationalized post, at least to a sales pitch, I'm not buying your product. Even if I had it on my list to buy a very blunt, I don't, if that's how we got together, if the sales team is not, if I'm in touch with the sales rep and they're not doing that, or they're not promoting that type of content, then we're, we're still on good grounds.

But if my first, Foray into you as a company is a email outreach, claiming that I'm about to die and my computers are all about to get hacked or that 92 percent of everybody sees this and you're one of them. So buy me now that you're going on a do not call list. And I don't care if you're industry lead or not.

I'm not dealing with that kind of crap. So marketing can ruin it for the sales team who can ruin it for the tech team who can ruin it for everybody else kind of stuff, right? So just getting all those facts straight and making sure that whatever story as a tech producer is the story that actually makes it out to public.

So that way the company looks right in the right light.

Elliot V: I, I would argue that most of our audience from like the security practitioner side would agree to similar terms of that. I think that is a very vocal perspective that we see and one definitely baked in reality and necessary.

Neal: Danny, I got a question for you, sir. Have you ever had to be the guy who, I know you're at a product company now, so you can say no have you ever had to, or been requested to write one of the doom and gloom posts, the, the the world is ending, come talk with us posts. Have you ever had to do crap like that?

Danny Palmer: I can say, I can safely say I haven't, no, and I haven't been asked to do anything like that either. And it's one of the things, I'm not directly in the comms team, but if like for stats, for example, information, they'll ask me, would this fly with you when you're a reporter? And if I say no, it's unlikely to go out.

I think that's part, that's part of the reason I've been brought in as well as to help give that. Perspective where it's not going to be seen as putting information out there, which is not helpful to, to anyone. But no, I haven't, I haven't written the, I'm not on the product side of things, which is an interesting thing.

So obviously I read about and know about products. I'm trying to use the internal resources. Yes. I have not technical background, but I'm trying to get more technical for them having this access. But it's yeah, on the actual sort of thing I write on the inference. One of the key points of it is no product marketing at all.

There's no sort of, dark face products do this, that, or the other. A lot of the pieces even mentioned the company in the thing, obviously say on top of the page, but it's not, for example, customer case study. I'm not talking to an organization. How did this product help you? There's the, marketing and case study team would do that sort of thing.

This is just a, These, we call them innovation conversations. It's just talking to practitioners about what they do, challenges they have, thoughts they have, which is just designed to get those views out there. And hopefully, so it's like, when I was a reporter, If you have sort of experts and practitioners talking and making comments go out there, it's helpful to others in the industry as well.

One of the reasons back at ZDNet when I did used to get these interviews with people who'd been affected by ransomware, for example, the CISO would tell me, I want to get the story out there. I want others to learn from what happened to us, which as I'm sure we're all aware, There's quite a lot of playing cards close to chest in this industry.

And I more, I saw my role back then and now to an extent as well, getting people to talk more openly about these, these things. And it's been quite, obviously the whole project is still fairly new, but it's been quite neat how contacts from my previous roles, and I don't know if anyone knew it, Zedina, I'd be happy to contribute to this even though Scott Knopp got the gravitas and prestige of a, known publication, they've, It sounds weird to say, but they've, they've done this because I've asked them to, because I guess they have some sort of, they have a relationship with me, which is nice to think of and sort of like, yeah, it was weird walking out when I was walking around Black Hat, like people stopping me, like recognizing me from either PR people who I'd been in touch with, or researchers, or just people I knew from online.

It was very odd It's a weird place thinking that, yeah, I was quite well known in like the reporting space. So it's not a big world, cybersecurity reporters, reporting space. It seems to be getting smaller as well, for no reasons I'm sure we're all aware of. But yeah, that was a really interesting thing.

And it's interesting that how, yeah, people are still with this new role. A lot of people, not everyone, but a lot of people are still happy to talk to me and deal with me in, in this way. I but one of the pieces I did at Black Hat was I spoke to DARPA about, their, their sort of cyber, cyber AI sort of protection project.

And that basically came about because in my previous role, one of the last pieces I wrote there was about a DARPA project about securing AI. And that started because they slid into my Twitter DMs. I was on holiday, and DARPA slid into my Twitter DMs. And I thought, okay, DARPA is speaking at Black Hat. How can I get this?

I don't have their contact details anymore because it's in my old inbox. I just did the same, slid into their DMs and did it that way, which was like really neat. And yeah, it's nice to, it's nice to know that, yeah, people are still happy to speak to me of these sorts of things. And hopefully that, that article that helped explain what this contest was, help put information out there. And I I've said, I've mentioned it before, but I have this sort of things of this public service broadcasting ethos in what I do. So inform and educate and hopefully be entertaining narrative reads as well with the thing, the things I'm doing with, with, with what I'm doing now as well.

I have much more freedom, the long form stuff. I don't, I don't, I'm not given word count or anything like that. So she's both a blessing and a curse. When I turn in, here's a 4, 000 word draft of an interview of someone I've spoken to. But yeah, it's cool to think about.

Neal: Awesome. Love it.

Elliot V: And that brings us to the end of this episode, unfortunately but Danny, thank you so much for joining us, giving us your perspective. I know you're fresh in over to the dark side as I would like to refer it.

Neal, thank you as always to come in and bring the practitioner intelligence perspective and a little bit of that. I guess maybe product oriented one, but that's it. So if you want to join the soap box, you want to join this conversation. I feel like there's quite a few media literacy episodes that we can talk about in the future.

We'll go from there. So you let us know anyways, that's it for AZT. We will see you next time.

Announcer: Thank you for joining a Z T an independent series. Your hosts have been Elliot Volkman and Neil Dennis to learn more about zero. Go to adopting zero trust.com. Subscribe to our newsletter or join our slack community viewpoint express during the show did not reflect the brands, employers,

Catch this episode on YouTube, Apple or Spotify.

First, don’t worry, Neal and I are not going anywhere. In fact, because AZT is doing so well, we have decided to spinoff a new pilot series to cover an aspect that just doesn’t quite fit within our walls.

With that, it’s time to introduce you to GRC Uncensored, a new independent series where we dig into all things compliance, risk, governance, and regulations. Also…. tools, vendors, and all the fun things that are not adequately covered. We will not be talking about controls, implementations, and other boring aspects. So off we go to episode 1

The Commoditization of Compliance

In this first episode, the discussion starts by acknowledging the love-hate relationship many professionals have with GRC. Kendra Cooley, with over a decade of experience, opens the dialogue by highlighting its utility and challenges. While compliance frameworks like SOC 2 can facilitate organizational security direction, they often don't translate into best practices, leading to a strained relationship between security teams and compliance mandates. AKA people check the box and go on about their way, or worse, they feel they are now sufficiently secure.

To read the full reap, head over to our home for GRC Uncensored.

Catch this episode on YouTube, Apple, Spotify, or Amazon. You can read the show notes here.

Despite three seasons of exploring various aspects of cybersecurity, we have yet to discuss how organizations prepare for new cybersecurity strategies from an operational perspective.

In this first part of a three-part series, we partner with ThreatLocker experts to discuss how organizations can prepare and align themselves for a Zero Trust approach. Rob Allen, ThreatLocker's chief product officer, joins us for this conversation, bringing a wealth of experience from both technical and market-side perspectives.

From our Sponsor, ThreatLocker

Do zero-day exploits and supply chain attacks keep you up at night? Worry no more, you can harden your security with ThreatLocker. Worldwide, companies like JetBlue trust ThreatLocker to secure their data and keep their business operations flying high.

ThreatLocker takes a deny-by-default approach to cybersecurity and provides a full audit of every action, allowed or blocked, for risk management and compliance. Onboarding and operation is fully supported by their US-based Cyber Hero support team.

Get a free 30-day trial and learn more about how ThreatLocker can help prevent ransomware and ensure compliance. Visit threatlocker.com.

Key Takeaways

• Rob Allen, Chief Product Officer at ThreatLocker, brings experience from both technical and market positioning perspectives

• The first of our three-part series explores the preparatory stages of transitioning to Zero Trust

• Education plays a crucial role in changing the mindset towards proactive security measures

• Organizational buy-in can be a challenge, but vendors are happy to assist in this department

• Internally, you’re unlikely to find people using the term Zero Trust in place of actual use cases

• Zero Trust is presented as a mindset rather than just a technology or product

• The concept of assume breach is central to the Zero Trust approach

• Practical demonstrations, like the ducky challenge, are used to illustrate cybersecurity vulnerabilities

Understanding the Operationalization of Zero Trust

To kick things off, we cover the basics: Do you need a new strategy or to enhance your existing one, and where do the pillars associated with Zero Trust fit into the picture? By taking an outcome-driven approach, focusing on processes and gaps, organizations are better prepared to work with key business areas to drive alignment. As we know, without a plan and support, scenarios like shadow IT crop up.

That said, security practitioners constantly adapt to changes impacting users and interactions; hence, understanding the operational aspect is vital.

As for our guest and setting the scene, Rob has a rather diverse background, but to sum it up, his journey moved from helping companies recover from cyberattacks to aiming to prevent them altogether. It lines up well with cybersecurity maturity and shows the common, or aspirational, transition from a reactive to a proactive approach in cybersecurity.

The Importance of Proactive Cybersecurity Measures

Today, many organizations only take security measures seriously after a breach. According to Rob, he sees this as much of a psychological challenge as it is technical, and it's often human nature to feel secure until something goes wrong. He stresses the role of education in changing this mindset, highlighting that some people and organizations need a wake-up call, while others proactively seek to improve their security posture.

Neal weighed in, recalling his experiences in consultancy, where companies often react post-breach instead of investing in preventive measures. But nothing motivates a board and executives to properly invest in their cybersecurity program like a public incident.

The Role of Zero Trust in Modern Cybersecurity

For Rob, he sees Zero Trust as a mindset rather than a technology or product. He summarizes Zero Trust in two words: "assume breach." This perspective encourages organizations to operate as if their systems have already been compromised, limiting access to what's necessary and implementing default-deny policies.

At an event, he challenged attendees with a ducky challenge, using a rubber ducky programmed for data exfiltration. Despite warning participants and offering clear instructions, a bank’s security team mistakenly allowed data exfiltration. And before you think: Of course that would happen, it’s by design - That team didn’t actually take the ducky. Rather, they took the script, did not alter it, and exposed their information multiple times in testing the theory. Oops. Misconfiguration strikes again.

Implementing Zero Trust: Steps and Strategies

Fun stories aside, there are multiple pathways for organizations to shift towards Zero Trust. A good example comes from former Forrester analyst David Holmes who walked us through their approach or even the minimal viable product (MVP) via Canva’s Kane Narraway. Before that begins, teams need to understand what's required for business operations, evaluating existing software, and eliminating unnecessary access points. Rob emphasizes that one of the first steps is visibility—knowing what's running on your network. Many organizations are unaware of the full scope of software and tools in use, which can pose significant risks.

To be strategic (vs. an on the fails approach like following NIST CSF), Neal suggested that teams need to bridge the gap between understanding their threat model and developing a Zero Trust strategy. It's a step-by-step approach: securing what's needed, identifying gaps, and gradually implementing controls. Rob acknowledged that while it might seem daunting, choosing the right tools and adopting a methodical approach can make Zero Trust manageable and effective.

Part Two: Electric something something

Stay tuned for part two of our series with ThreatLocker, where we get even more into the nitty-gritty of operationalizing Zero Trust.

For more detailed insights from our episodes, visit adoptingzerotrust.com and subscribe to our newsletter.

Show Transcript

This transcript was automatically created and is undoubtedly filled with typos. As usual, we blame the machines for any errors.

Elliot: Hello, and welcome back to Adopting Zero Trust. I am your producer, Elliot Volkman, alongside our host, Mr. Neal Dennis, and today we're going to be digging into a piece of the Zero Trust story, which somehow we have not arrived at in the three seasons or so that we've done this across God knows how many episodes and how many experts.

But we're going to be talking about the operationalization of Zero Trust. So we've defined it, we've ripped it apart, we've heard from organizations as large as can be, as how they've adopted it, but what happens in the before state? How do organizations prepare and align for these kind of things? As our audience would know, as security practitioners, you live day in and out of how you have to adopt to any changes, any shifts that might impact users directly how they interact with things.

It it has Side effects, so to speak. So that is where we're going to be starting today. This is going to be the first of a three part series that we are building in partnerships with the lovely folks over at ThreatLocker, and we're going to just go from there. Maybe we kick it off with our guest, which is Rob Allen, the chief product officer over at ThreatLocker, who has had a pretty diverse background, if I might say.

Started in tech, worked in it, but also dabbled on a little bit of the go to market side. Both sides of the coin, which I will say is not easy to be able to dance between. And now you're leading and directing the product an organization, which I will say that we've heard nothing but very favorable things as far as the zero zero trust technology goes.

So Rob, maybe if you'd like to expand upon that introduction add a little bit of color.

Rob: Yeah, I suppose to put it quite simply, Elliot, I have gone from helping companies recover from cyberattacks to trying to stop them from being cyberattacked. So that's where the both sides of the fence thing very much comes in. I spent a lot of the years prior to joining ThreatLocker cleaning up.

Recovering wondering what we could have done differently and why our antivirus didn't stop it and why it wasn't detected, et cetera. So going from that, I suppose, frustration to helping organizations not get hit has been somewhat eye opening, but it's a it was, it's been a phenomenal I suppose career turn for me because it just, it's, it's.

It's so nice to not be constantly worrying about where the next attack has come from. Who's going to call me on a Monday morning going we can't get into our files. Can you help us out? I mean, you guys, you guys know the drill, but going from that to stopping it from happening or hopefully stopping it from happening is, has been phenomenal.

Elliot: would you say that A lot of in our Zero Trust architectures, the concepts, things from like NIST and CISA, those elements help actually get organizations to a more proactive, preventative state instead of the sort of chaos that we've lived in and still see generally.

Rob: I mean, I suppose there's a couple of ways you can look at it. One, one very simple way to look at it is unfortunately, a lot of organizations only take these things seriously when they are victims or when they've had an incident or something has gone wrong. I think it's just human nature. It's not a criticism.

It's literally just human nature. It's look, everything is fine. I've never been hit by a cyber attack. I've never had a ransomware, never had a breach. So everything I'm doing must be perfect. So therefore, I don't need to do anything differently. So I suppose you could sum it up as saying there's two types of people in the world.

There's those who have been victims and those who will be victims. So it often takes It's something like that happening for people to to, I suppose, come around to the importance of protecting themselves. But at the same time, I suppose part of our jobs is to educate people much as it is yours, is to tell people, look, you can be doing more.

There are other ways you can approach this problem that could be as effective if not more effective than what you're doing currently. And I suppose that's why we're all here today. It's about hopefully educating people or at least getting them thinking in a different way.

Elliot: I love the optimism yet realistic approach to that situation because yes if your organization gets popped, that's when the budget comes in and that's when you get people to actually start listening. The board starts taking it seriously and yeah, we, we know the drill, but I am curious if there is a world where organizations just proactively go, Hey, that happened to organization over there.

Maybe I should lock things down a little bit, but yeah.

Rob: think that happens more often than you might think. The problem is though, I mean, realistically, most cyber attacks are not publicized. Nobody knows that they're happening. I mean, I, I saw a statistic one time based on the number of attacks that an attack happens every 11 seconds. Fact is 99. 999 percent of those attacks Nobody knows about.

It's the organization that are cleaning up. It's not, it's not publicized it's only the really big ones that tend to get out there in the public sphere and that everybody hears about and knows about you might have situations where, one person works in company a, you've got hit somebody else and works in company B that didn't and they may talk, but that's a very small number of cases.

But again, it's just generally from our perspective, it's about educating people about the dangers and also how they can protect themselves.

Elliot: That sounds about right. Again, I, I do appreciate the optimism and that there is a balance in the world,

Rob: I am fundamentally an optimistic person. I'm Irish. That's that. We're, we're, we're, we're an optimistic people. As you may have

Elliot: if anything, I.

Rob: Michigan accent.

Elliot: Neal, I'm going to actually shift this over to you for a moment here, so you've seen both sides. I feel like we've had a few conversations where if you've been the victim of one attack, you're probably going to get hit again, especially if it's ransomware.

Do you want to dial down the optimism? What's what's your take? And then we can look into the operational side of the story

Neal: I, I like to take notes when we're doing these conversations all the time so I can try to remember to come back to things if I think they're important so I can focus. And I literally wrote optimism versus skepticism on my note here two minutes ago.

Elliot: I was just reading your face. That's all.

Neal: I'm going to caveat this for people who know my background, I worked at a consultancy company and my first foray into the commercial world after being on the government side for a while was for a big retail box company that may or may not have a symbol that's circular with a dot in the middle.

And so I was brought on as part of that mitigation team through the consultancy firm that I was with. And mitigation They're an example of we didn't do anything technically right until we had to basically right until someone made us and I think we had that whole era of big retail and other breaches for about almost eight years, seven, eight years of just back to back to back, nonstop LinkedIn O.

P. M. Later on in the day and you would think optimistically speaking that people would have learned from that as a whole and that most people would have been like, let's not be the next Home Depot or target or whoever. Right. And let's go ahead and apply some, some dollars to, to preventage, preventing, right?

And I think most of them did. I think most of them looked at that post issues. And moving along the power curve here for me, I worked at a few companies and consulted where that was the case. They're like, we don't want to be the next X, whatever. And so they, they did, but they do it within a very finite space.

They go, what's the bare minimums? They look at standards and they, they maybe realize there's four or five standards that they should map out to and they check a box on one and a half of them and they go, we're good. We're good. And they just don't want to apply funding because It becomes that cost benefits analysis of 1, 000, 000 for the next, every year for the next five years, or 10, 000, 000 on an if scenario.

And Rob, like you mentioned, it's not really a matter of if, if you haven't put the walls up, it's just a matter of when. And brand reputation, dollars applied, so on and so forth, which one really costs you more long term? The couple million dollars a year to make sure it does never happen, or hopefully never happens, or you're able to mitigate it faster when it does.

Or the 10 million, a hundred million, and then the brand rep hit at the end of the day. And I think that's the conversation that I'm interested in from getting started. Cause you got to make the argument around why, and you can no longer just say because target didn't it's a little antiquated, but you need to have other stuff.

And then once you make the question or answer the question, why now you got to talk about the what and how, and I think that's the getting started for me is justification and why you're applying justification and the dollars to the C sweet people. What are the strategies and the dollars tied to that strategy that you can also help educate to show the ROI for mitigation and preventative strategy?

So I mean, how much, how much work have you had to do just on the buy in aspects, right? Before we even talk about actual zero trust strategy, how much of your life or how much have you seen people's life spent on just trying to get someone to even come to the daggum table?

To talk about procurement to be able to move forward in that. And then what are your suggestions on how to get people at least to the table on that effort?

Rob: no. Look, that, that, that is, that is our job every single day. It's about getting people to look at the problem in a slightly different way. It's about realizing there is a problem, I suppose, first of all and again, a lot of that comes back to just conversations.

A lot of it comes back to education. I mean, I'm. Going this weekend to an event and well down the road in Tampa, and it's going to be talking to people showing them what can happen and I've been playing here. I have a rubber ducky in my hand at the moment. We we love rubber duckies for demonstration purposes.

But. One of the things that we've been doing quite recently is showing people how you can use tools like ChatGPT to get malicious code. I've had conversations, or I'm currently having conversations with ChatGPT to try and get it to obfuscate some PowerShell, ReverseShell and PowerShell. It's surprisingly obliging.

Depending on how you ask the question. So taking that knowledge experience, showing it to people, say, look, I've got this little thing here that if you plug it in, it's going to allow me to connect your computer. You won't know what's going on. We've another one that we do, which is basically data exfiltration using PowerShell.

Just a one line PowerShell command that'll recursively go through your data and upload it all to our, our blob. People never cease to be amazed at how easy it is. We've I I mean I could I can tell you mind if I tell you a story about this actually cuz I think

Neal: Have at, we're anecdotal people. We like it.

Rob: Excellent.

Okay, and so we have as part of our presentations we do a thing which is called the ducky challenge So the ducky challenge is basically where we have a rubber ducky With data exfiltration programmed into it. So plug it into a computer. It's going to upload your data. We've tested it and run it against pretty much every major radio audits out there.

And in every single case, we've got the people's data. I mean, we've had dozens of people who have volunteered and allow us to plug it in. The joke we make is we say, look, this is a rubber ducky. It's got to exfiltrate your data. If you think your current cybersecurity solution will stop this from stealing your data, come talk to us, we'll plug it into your computer.

If you win, you get to keep the rubber ducky. If we win, we get to keep your data. Now, most people when presented with that proposition will just laugh politely and go, yeah, you're never going to plug that into my computer. But as I said, we've had dozens of people volunteer, including, and this is a really interesting one.

A, I, I did it in Dubai about a year and a half ago. And two very serious looking gentlemen, the CIO and CISO of a large Middle Eastern bank. Approach me. And they said, look, we don't want to plug the rubber ducky in, but if you don't mind, would you please send us a copy of that PowerShell command, the script that you're using to exfiltrate the data.

We want to do some testing. So I said, no problem at all, gentlemen. I sent them a copy of the script with very clear instructions. You are going to want to change this portion of the script. Yeah, yeah, you can see where this is going, obviously. You're going to want to change this portion of the script because that is our Google Blob.

Okay, if you upload data there, it is going to be accessible to the world. So change this bit of the script. Following day, I flew back to Ireland. It's about a nine hour flight from Dubai to Ireland. Decided I was gonna switch off, okay? No internet, I'm gonna, have a bit of a sleep, maybe watch a movie or two.

Just disconnect. About five hours into the flight, I got bored. And got wifi, got online soon as I did, my teams explodes, including a message from one of my colleagues with a picture of a guy, one of our guys at the event, looking really worried on the phone. And the tagline was Harvey on the phone to a Middle Eastern bank who did the ducky challenge and got their data exfiltrated.

They basically ran the PowerShell script on edited, uploaded 338 files to our blob storage and we're understandably panicking. There's I mean, it just goes to show how easy it happens. I mean, they obviously had some belief that something was going to stop this from happening, but as the evidence would suggest that we're slightly mistaken.

But the really interesting thing about this, I suppose the sting in the tail of the story is that not only did that one person upload data, I tend to go into that blob from time to time and just make sure nobody's done anything they shouldn't. And I went back in about two weeks later and found more files uploaded by the same bank.

Two other users, right? So they had three separate self exfiltrators in the security department of a bank. I mean, the mind boggles, but as I said, they had some sort of a belief mistaken as it turns out that something would stop this from happening. Something would protect them from their data getting stolen.

But I just think it's a, it's a really good example of. Look, educating people. They now see how easy it happens. I now tell people like you stories about this so they can see how easy it happens.

Neal: I love it. I love it. So I think lessons, at least some quick takeaways right off the bat. You started off lower barrier to entry. I always loved this. Personally, because I mean, I'm not going to presume to know how old you are, but I've been around for 24 years in this industry, one way or the other.

And when you first got started, everybody thought it was a government thing. Only the government's going to get into the big things. Then you flash forward, early 2000s, and magically the Brazilian script kiddies are getting into everything. Flash forward to 2007, the Russian script kiddies and the Russian business network, so on and so forth.

Escalation, escalation, escalation. But it only escalates because the barrier to entry got lower and lower and lower over time. And to your point, I, I think one of the basic things to highlight is look at all the stats just from the last two plus years, courtesy of the chat GPT revolution, and people put articles out about it.

If, if I want to craft an email and pick a language today, I can do that, whether I speak that language or not, and it's going to be pretty dadgum convincing. And we saw that immediately once ChatGBT 3 came out. I mean, 1 and 2 were around well enough, but once 3 hit the market and became public news, the Russians, and Eastern Europeans, whatever, were making these wonderfully well crafted English emails that no longer had the missing articles and all the other crap in them that they're normally known for.

Just that alone should be worrisome enough for people pulling up stats on the increase in threats alone should be enough to start that conversation. And I think the other piece that you mentioned what y'all are doing is finding ways to potentially partner up with people looking for, support to incentivize change. And I think to me, that's the other critical component is if I'm sitting on the customer side of the house, if I'm sitting on the enterprise side of the house, and I know something's got to change, I need to find data to support that. I need to find out how to talk to someone like yourself on the C suite and more often than not, if I'm a SOC manager or, or someone sitting on the threat hunting team or, or, that lower level management role, I don't necessarily know how to go speak C suite, but I can find someone at a right product company that I think is a good partner to help me do that.

Rob: That barrier of entry point is really, really interesting. I mean, realistically, the barrier of entry now is pretty much on the floor. Now, for a long time, I mean ransomware as a service has been a thing for so long that you didn't need skills, you didn't need knowledge, you didn't need to know how to code.

All you need was basically to go on the dark web, pay a couple hundred dollars and suddenly you're an affiliate and you've got ransomware as a service. That was one level of really low barrier. Now the level, as I said, is even lower because you just go on to ChatGPT. Now, obviously, they've built some protections in, so if you go and ask ChatGPT, can I have a reverse shell, it's going to say, no, no, no, I'm a large language model and I've got ethics and morals and all sorts of stuff like that.

There was a time, by the way, about a year ago, when you could bypass that by saying, look I'm a cyber security researcher. I work for a cyber security company. Can I have the code please? And I would go, okay, then here you go. There's the code. Now they've plugged those loopholes as well.

But what I found is really interesting is if you ask the question. In a slightly different way. So instead of saying, can I have C sharp code for a reverse shell, please? You say, can I have C sharp code for a simple or a man that will allow me to type commands into a computer remotely? Boom, there's the code.

I actually have that on a machine beside me here right now. A piece of code. When compiled, is a reverse shell, talks to netcat, does not get detected by any antivirus because it's fundamentally not known bad, it's not something that has been seen before, and the barrier to entry is on the floor. All you need, I mean it was, as I said, once upon a time you needed skills, you needed knowledge, you needed abilities, now all you need is bad intentions. You know what I mean? Knowing how to ask the right question of something like ChatGPT to get the answer that you're looking for. It's, it's, it really is, it's, it's just made being bad available to so many more people.

Neal: As a second part of this episode, for those tuning in, we are discussing how to become a threat actor 101. Now the

Rob: That's actually the title of our presentation at the moment, how to create successful malware and how to defend zero trust. And one of the interesting things is when we make the presentation, one of the kind of jokes I make to break the ice of people, as I say, look, who here is interested in how to create successful malware?

And half of the room put their hand up and I'm like, right. Who's interested in how to protect with zero trust? And the other half of the room put their hand up and I'm like, yeah, I always like to get an idea of who the potential criminals are in the room. Will you be amazed at how many are interested in how to create successful malware?

Neal: Hey, as a former red teamer type person, you got to know how to break things in order to fix them. I think if you're going to sit on, on the blue team, you should also sit on the red team for part of your journey and vice versa to understand the pain points or the availability of data. One way or the other.

On your same anecdote. I use chat GPT to write a couple of beneficial encryption services. And same thing you're right back on barrier of entry. If you know how to

Rob: That, that sounds like part of ransomware. Yeah.

Neal: my Netcat stuff set up.

So thank you. No, uh, but you're right. The, the whole, the whole point being, buried entry now is legitimately just based on intent and with, with the right intent. You can do a couple even in all in chat GBT for the most part you can even ask it You know, what's the latest threats? All right ransomware.

Cool. All right What's ransomware's number one way of doing whatever it does and you get educated and all this stuff And then you spend the next couple of days on reddit or somewhere else Finding all these wonderful prompts that people have used for security investigations and then you find yourself in the dark web asking for ransomware as a service while you're trying to build your own tool,

Rob: It's a slippery slope,

Neal: It is yes, and

Rob: but the other, the other thing I would say that's interesting, I mean, obviously we're talking about malicious code. We're talking about bad programs. One of the things that I've slowly not even slowly. One of the things I'm increasingly aware of is the fact you don't actually need malicious software to do malicious things.

We've seen instances where tools like WinWare are used for data exfiltration and encryption. I mean, that's, that's basically most of ransomware right there. And it's done with an otherwise legitimate program. I mean, any, any desk is the remote access tool of choice of ransomware gangs.

It, but they use the thing.

And again, something we've seen a lot more often is a tool called now, this is going to cause an issue with my accent. Okay. And I apologize for this in advance, but every time I say this, everybody looks at me like a dog with a, I don't know, or clone. Okay. So the number of the letter or clone. I don't know how you pronounce Orclone, but that's how I pronounce Orclone.

Orclone is the data exfiltration tool of choice. Right now. Okay, I mean, anybody who's listening, go look around your network. If you can see Orclone there, there's a fairly good possibility or probability that it has been used by a threat actor to exfiltrate data for your environment. Again, what do Anidesk and Orclone have in common?

Neither of them are ransomware. Neither of them are malware. Neither of them are bad. Neither of them, something that EDR is going to stop. Can they be misused? Absolutely.

Neal: yeah, which gets

Rob: they misuse? Yes, very much so that, that's why detecting known bad things is not the answer. It's not the solution. It's not going to protect you.

Neal: and that is a great transition into what will, and into the Zero Trust start. Talking about, generating some kind of cognizance around buy in, the barrier to entry, all that fun stuff. If you get people to the table, now you got to obviously present them with an idea or a strategy, whatever that may be.

And highlight stuff exactly like this, the things that are in your environment for day to day use are the things that threat actors are going to try to take advantage of first and foremost. And that is, as sad as this is, people don't realize that that has been the modus operandi for threat actors since the 90s, heck, since the 70s with ARPANET.

The moment you could get on there and find something that would do the job for you that's not blocked, within reason, you're going to use it. Why am I going to go and install Mimikatz or something else if I can just remote from something that's native? The last anecdote I have of that, I had you remember putty?

I don't know if people still use it that often, but I, I do. Not on this box, anybody paying attention, don't try to do it on this box. But, back when I used to wear the other side of the hat it, it blew my mind how many people just had something like putty just there, with everything loaded in, not password protected, with all the various shells and everything else just ready to go.

So you get onto the box and just go, boop, and the whole world opened up right in front of me. I didn't have to install anything. I just had to get in to the initial exploit point. And there it was on that box. It was beautiful. So it brings us back to the other point though, the zero trust strategy, right?

So we talk about using the commonplace tools. We talk about the fact that it's more often than not, that's likely what's going to happen and will happen period. So bringing it back to a strategy perspective, we get buy in. We at least get people to the table. What's the next thoughts around post highlighting threats?

Thanks. And now we've got the initial talk to discuss what that strategy might look like. Where's a good way to start thinking about the strategic level for the zero trust strategy. Where would people want to get started for that to actually present the next steps for resolution or, or attacking the problem?

I should say,

Rob: I mean, first of all, it's about attacking the problem from a different angle. It's about accepting that your traditional approaches are not going to work. Sorry, your traditional approaches will probably work most of the time. They're not going to work all of the time. If they did work all of the time, there would be no such thing as breaches.

There wouldn't be no such thing as ransomware. So except that, I suppose, I mean, the other thing is, it's like one of, I suppose, one of the challenges is one of the things that we try to, to, to talk about. And again, I, I'm, I'm going to show myself as not a constant and always listening to listener to your podcast now by saying, obviously you guys talk about zero trust.

Yeah.

How would you define Zero Trust? In fact, let me, let me put it even differently. How would you define Zero Trust in two words or less?

Neal: policy strategy.

Rob: Okay. Elliot?

Elliot: I'm a word guy. I can't do two words or less.

Rob: Okay, you can have five words.

Elliot: I mean, it's more like a baseline of zero trust.

Rob: Okay one of the ways that I like to define it, and there's a much longer definition, but I mean, least privilege is one way of looking at it. Probably my favorite one is assume breach. So work in the back, work in the perspective that they're already in. They're on your network right now. They've got full domain access, full or full administrator access to your network.

What, what can they do? Assume breach is another way. And to be honest, our perspective on it is denied by default. So basically there's a few aspects of that and we can, okay. Default denied.

Neal: No, you're good. You're

Rob: mic drop, etc. Yeah, so default denied. But as I said, assume breach is a really good one. I mean, it was part of the the executive order mandating zero trust for the federal government.

I think it was two years ago, but one of the parts of the definition of zero trust was assume a breach is inevitable or has already likely occurred. So constantly limit access to only what's needed. Now, as I said, assume breach, basically. Look, they're in, they have full access to everything. They're on my computer right now, what can they do?

Again, by taking the approach of default deny, can they run things? No. Whether they be good, bad, malware, ransomware, antidesk, or clone, doesn't matter. If it's not allowed to run, it's not going to be allowed to run. But Expanding on that. And I know we're going to get into a little bit more detail that you mentioned ring fencing earlier, but expanding on just the what can run and what can't run, what things can do.

And that's, what's going to protect you against this rubber ducky stealing your data. It's saying, look, PowerShell doesn't need access to my files. So why would I allow PowerShell access to my files? It doesn't need to access the entire internet. So why would I allow it to access the entire internet? So by putting limits and restrictions on what things can do, again, But the principle behind it being default deny, you're going to be in a much better position to protect yourselves against all of these threats.

Neal: Yeah, I agree. I agree. From standards perspective, we would talk about implementation. You bring up the government, U. S. government piece, which two ish years ago, give or take. I think that came out season one of us. We were only a handful of episodes in when that, I think, got announced. And then we shifted gears for a few to talk to some people who had worked on that policy.

Elliot likes lawyers. I like them. They're fun to chat with no, it's, it's perspective, right? It's, it's unique ideas around how they approach it versus how we apply it. But that being said, so we talk about that. We talk about default deny. I think that's a good slogan for today. I'm going to catchphrase default deny.

When we think about actually implementing that and from our perspective, at least mine, it's, it's more about. Your approach and your policy decisions around doing this. So as much as it is about having the right technology stack, which most of us tend to already have chunks of it, if not already various layers.

Cause I know ThreatLocker didn't start off as zero trust, it's not what y'all were building, if I'm not mistaken, as a, as a terminology concept. It's just where the market takes terms first off, but building into what we already have and then looking at the holes we're missing to be able to apply the right tech stack to fill in those gaps.

And I think that strategy comes into play with once again, understanding zero trust isn't a product, it's a mentality, the products themselves exist to help fulfill the mentality of making yourself secure and making you get to that default deny policy. Right.

Rob: Yeah, no, absolutely. I, I was asked probably about a year ago now by our marketing guys to do a one minute on Zero Trust. Now that one minute on Zero Trust, I think it's knocking around on YouTube somewhere, but that one minute on Zero Trust literally took me about an hour to record because I kept on making a mess of it.

But it was the, what I came back to was basically what you said, which is, it's a way of looking at things. It's a perspective. It's not a technology. It's not a product. It's a way of approaching things. So it is quite interesting that you describe it in pretty much the same way.

Neal: Yeah, it's definitely browbeat me a lot. When we first got started, it's no, you can't go hire a technology to solve the problem. That's what everybody wants to do. No.

Elliot: I mean, there is some argument against that now ish. I mean, we've had I think it was with Kane, who works over at Canva, he's you can buy what you generally need now, but like, when we started this, not even close.

Neal: Yeah. We were, we were sitting in our houses trying to figure out ways to get away from COVID and here we go. And I think apparently so is everybody else, but the but that's, that's a fair statement, three years ago, even two years ago, trying to find blatant, just zero trust in a, out of a box kind of piece, know, I, I still, I think that's a fairy appropriate for most people.

I think most people have a, have a desire to avoid massive technology acquisitions right now, unfortunately, for some of us who work in the product space, but anyway, that being said. So growing that, moving into policy, We get them, we're talked about ROI and how to generate that response based on ROI and applicability.

Next step policy procedure, default, deny. And then Elliot already mentioned some things around the standards and flow around, various ISO, pick a flavor and stuff like that. So moving it forward. If you had a, like a day one kind of piece, like you, you've got to buy in whether you're buying something or you're trying to look at what you currently already have, you What does a day one rollout or day one start, even not even raw, but day one look like for you once you've gotten the dollars behind you to move forward, are you looking to hire you looking to buy you looking to do a lot of network awareness type things that already don't exist and trying to do all that artifact control and awareness or where you at?

Or, sky's the limit. Let's go try to do everything.

Rob: No, look, it's it's obviously going to be a step by step approach. From our perspective, the first step or the first thing that you need to do is figure out what, what is required. Thank you. . So what do I need to run on my network? What my, what do my users need to be able to do their jobs? Again?

That that is pretty much a fundamental tenant of zero trust, which is to allow people to the bare minimum, to allow them to function, to allow em to do their jobs. Do they need to run Angry Birds on their machine? No, absolutely not. Did they need Minecraft on the machine? Did they need, Cooper, the coupon clipper. To do their job. Oh, they don't but the first step is to figure out what they actually need. What do they have as well is going to be the second step. So look, we need this. We have all of this stuff. Okay. Do we need all of this stuff to be able to perform our business functions? No, absolutely not. Those five of the six remote access tools that are running on our computers right now are probably not needed.

We're gonna block those five of six remote access tools from running to close down those holes in our, in our infrastructure. Again, step one and two is going to be figuring out what's there right now, figuring out what's actually needed, and basically, not filling those gaps, but, Getting from where you are now to where you need to be.

And look, it's not difficult. It sounds daunting, but genuinely it's not difficult. But you can't know where the holes are if you don't know what's there. So I suppose that, that, that sort of evaluation, reconnaissance you might call it, that, that period where you basically evaluate everything you've got.

Get full visibility over what's on your machines because the amount of organizations that just don't know what's running on their machines is terrifying. It really is. I mean, I did an exercise for a relatively small organization in the UK at one stage and found six individual different remote access tools running on their machines. You know what I mean? They had LogMeIn, they had BombGuard, they had TeamViewer on, and this is not an exaggeration, 20 percent of their computers were running TeamViewer. That organization did not use TeamViewer. Okay, there was no good reason for TeamViewer to be running on 20 percent of their machines.

But look, we all know how it happens, which is at some point in the distant past, some third party said, Hey, I need to get into your computer. Will you install this, please? They installed it. It sits there forever on their machine as a potential way into that network. I mean, on a similar note, one of my, and I, I shouldn't use the word favorite to describe cyber attacks, but one of my favorite cyber attacks in the last few years was one on a water treatment facility.

I think it was actually here in Florida. Yeah. Where basically somebody got into a machine and they started changing the levels in, of chemicals to basically dangerous levels. Now it was described as being an advanced cyber attack. It was TeamViewer.

Neal: Heh heh

Rob: That's not an advanced cyber attack. You know what I mean?

That's some dude who installed TeamViewer in his computer at some stage because, again, some third party needed to get in. You open up TeamViewer and it says do you want to log in? And they go, Oh God, I better log in. So I'm going to create a username and password. And they probably use their personal email address and the same password that they use on 50 other websites.

One of those 50 other websites gets breached. All of a sudden their password is out there. Hang on a second. I can get into TeamViewer. Oh look, what's this machine? And it's the water treatment facility. I mean, it's not difficult to figure out how that happened. But again, does something like TeamViewer need to be able to run on all your computers?

Absolutely not. So why would you let something like TeamViewer run on all of your computers? Deny by default.

Neal: heh. Deny by default.

Rob: Sorry, default deny.

Neal: default deny.

Rob: Two words, not three.

Neal: Default deny. The I lost my train of thought earlier cause I was, I started laughing about the team viewer piece cause I was paying attention to that from a different lens. Uh, default deny. Back on that, what's actually required. I think that's a fun thing.

Oh, I know where I wanted to go I have a very small tangential question around how far down the rabbit hole you really go with what is being used So the whole flavor last year and courtesy of Congress with s bomb and and the things like that, right? So I I'm I know this is a it depends question But I'm just curious your take on when we identify the things that were required to have How, how would we want to rack and stack them?

And should we spend time on key things or critical things, understanding what actually makes those things tick? I, as my SAS provider using SolarWinds or Kubernetes or other things, or as the tool I've got on prem, same thing, right? Same question. Should I spend a lot of time prioritizing aspects like that?

Or should I just stick with what I blatantly know and worry about those answers later on down the rabbit hole?

Rob: So I suppose there's two sides of that. There's the supply chain aspect. And there's the vulnerability aspect. So organizations need to worry about supply chain. I mean, you're using software from probably 10 different vendors. I mean, I've probably got 10 vendors worth of software on my computer right now.

So supply chain is obviously a concern. Vulnerabilities is a huge thing. It's a massive concern. I mean, I think that we're on track as with most years for over 20, 000 CVEs this year alone. I mean, you guys know how many. How many criticals are fixed on an average patch Tuesday? I think last one was four or five, zero days actively being exploited.

I've, there was an Adobe one yesterday. You, I mean, look, what was 160, 000 organizations were affected by the exchange vulnerability a couple of years ago. So both supply chain and vulnerabilities are Similar, but different, but equally concerning, but the way I like to look at it, and it comes back to this idea of assume breach is assume the software that you're using is full of holes.

Assuming, assume the vendor that you're working with could be hacked and something could be used to, something could be pushed down to your machines without your knowledge. I mean, it's happened so many times. I mean, the SolarWinds is an example you mentioned. It's a great example. I mean, they, that, that was a.

Fairly complex attack, it wasn't just we get into SolarWinds, we're gonna push down Ransomware. I mean it was a lot more involved than that, but I mean fundamentally what happened, what the SolarWinds agent that was installed on all of these machines started reaching out to a C2 server.

A C2 server sitting in, and nothing against people from New Jersey, but sitting in New Jersey. Now, again, attacker's perspective made perfect sense because if I, I like, if I start reaching out to Russia, then this alarm bell is going to go off all over the shop. But now I've got a AWS server or a server in AWS in New Jersey, nobody's going to notice that.

But again, restricting what things can do. I mean, again, vulnerable software is on your machines right now. Assume the software that you use every single day has bugs and vulnerabilities and issues with it that can be exploited. But what's the next thing that happens if vulnerable software is exploited?

Something tries to run,

Neal: mm

Rob: or something like PowerShell or Run DLL tries to reach out to the internet. So if you can stop things from running by default and stop PowerShell from accessing the internet, you're going to stop most of these attacks pretty much in their, in their tracks. But similarly with, supply chain, sorry, the exchange vulnerability, again, it's a, it's a brilliant example.

I mean, we had a customer contact us about when the exchange thing was going down, customer contacted us to ask us about a batch file that they saw blocked on one of the servers. We saw the process that created it was IIS. We saw it was an exchange server, got the batch file, brought it back into our labs here, ran it in some machines.

And then within two hours, the entire network was encrypted. Now that was all through a vulnerability in Microsoft Exchange. And again, there's so many different examples of this. yeah. Another great example. And I've actually seen this in action. I've seen this in operation was a print nightmare vulnerability a couple of years ago using the print spooler.

I, it was so cool. I mean, there was proof of concepts out there and literally all you, again, one of the things that we offer is complete visibility over what's running on machines. But when the print nightmare vulnerability was exploited, basically the print spooler was used to drop a DLL, malicious DLL on the machine, which then executed.

Now, again, if you block things by default from executing, then the fact that the Prince Builder was vulnerable and could be exploited didn't matter because nothing was able to run.

Neal: Yeah, I think that's where it all boils down to, right? Is at the base level, the construct is simplistic in, in, in what you want to try to do. Implementing it is where everybody decides to take their little chunk of flesh and make it more complicated.

Rob: I don't like complicated. The easier the better. Okay,

Neal: I'll bite my tongue about past experiences for that one. But yeah, later maybe in Florida in February. So

Rob: can we agree then? I think I may know where you're going with it. Can we agree that some tools make it easier than others?

Neal: yes, a hundred percent, a

Rob: so I, I, I, and again, I'm, I'm conscious of who I'm speaking to and who they work for. I am aware of a very large organization in the UK who have been trying to implement an allow listing with a tool that they have readily available to them.

So by, are they the largest software company in the world? Are you the largest software company in the world? Anyway, with a tool that is available to them. They've spent four years. Four years on a project to try and implement the LListing and have yet to turn it on. Okay. So it doesn't have to be that hard.

It doesn't have to be that difficult. So the choice of tool that you use to implement these controls or the use to implement Zero Trust is really important. And if you do, if you try and do something with a tool that is not suited, Or that is too difficult to use. It is going to take four years and it's going to end up getting thrown in the bin because everybody's going to just throw their hands up in the air and say, this doesn't work.

It can work. It does work. We have 40, 000 businesses who are using our solution, who will attest to the fact that it can be done, but it is, as we said, a step by step approach. So first things first, okay, control what's running. Okay. Now we're going to move, move on to what things can do. Okay. Excellent.

We've got that all sorted. Okay. Now we're going to move on to what things have access to what data in my environment? Can I reduce the potential for damage if something bad gets in or can I reduce the potential for data exfiltration by restricting what programs can access where? Can I take away local admin rights?

Lots of users have permissions that they don't need. So can I take them away without impacting people's workflow? Yeah, I can do that as well. Okay. Fantastic. Now we're going to get onto the network layer. Okay, so can we block anything that shouldn't be allowed to connect to my servers from connecting my servers?

Yay! So there's more to it. It is a multi stage process, but there is a lot of controls that can be put into place that makes environment, that will make environments so much more secure.

Neal: Awesome. I love it. I love it. It's a good start, Elliot. I think it's a good start to the series.

Elliot: It is. Yeah.

Rob: I look forward to part two and we can get very much into ring fencing.

Elliot: Oh, yeah, we certainly can. I, I do have 1 final question, which I won't give you a word count or character count, but I suspect it would be a short answer. So we, we already bridge that gap, the conversation about you have buy in or to an extent relevant to buy in you're going to your board or executives, you're saying, hey, it's cybersecurity strategy.

This said, we're going to reduce risk. Blah, blah, blah. Are you going to throw out the words zero trust in that equation, or is there going to be normal human language as part of that?

Rob: For the most part, I mean, in most of our presentations, I tend to avoid the term zero trust. And it's not because it's a bad term. It's not because it's frowned upon. It's because everything and everyone nowadays seems to like to call themselves zero trust. So to some extent it's present company excluded, excluded, I'm not sure which.

But no, I tend to keep it to concept. Descriptions, explanations, rather than going, we're going down zero trust route. And everybody goes what's zero trust? Let me tell you, it's a way of looking at things. Yeah. So I tend to not use the term. And as I said, even when we're speaking to people in public presentations, I tend to not use the term that often.

DPD,

Neal: called Deny by Default. And it's going to be a, a tri letter company for me to,

Rob: DPD, that could work actually.

Neal: yeah, see, there we

Rob: Have we trademarked it? We've probably, I'm not going to lie. We've probably trademarked it. If we have them, we're gonna run out and get them to do it right now. Yeah,

Neal: got our next startup for the room here, denied by default. So I think once again, Rob, I'm going to close out my spot here and let Elliot do his thing for the last couple of minutes, but I appreciate the conversation and I'm looking forward, like I said, to the next two, Elliot, back over to you, sir.

Rob: Thanks,

Elliot: Yeah. All right. So that wraps up part one of our three part series into how we operationalize Zero Trust. So we will progress, get a little bit more technical, a little bit deeper. Obviously as all things are with Neal, we, we get a little technical anyway. So hopefully you don't gloss over. I think probably by episode three, you'll be like me and I've just. I cannot absorb any of that information, but that's why we have Neal. And then we have fortunately wonderful folks like Rob Allen, who is able to come in and share their perspective and really guide us through that. So anyways, thank you to ThreatLocker for allowing us to have this conversation, kick this series off, and we will continue this with our next episode, where we get a little bit deeper into the equation.

Stay tuned and check out Adapting to Zero Trust for more!

Announcer: Thank you for joining a Z T an independent series. Your hosts have been Elliot Volkman and Neil Dennis to learn more about zero. Go to adopting zero trust.com. Subscribe to our newsletter or join our slack community viewpoint express during the show did not reflect the brands, employers,

Catch this episode on YouTube, Apple, Spotify, or Amazon. You can read the show notes here.

This week on Adopting Zero Trust (AZT), we highlight a significant cybersecurity risk focused on the notorious Log4j vulnerability and the growing concern around shadow IT. Featuring expert insights from Etay Maor, the Chief Security Strategist at Cato Networks, the conversation initially looks into the persistent exploitation methods, the importance of knowing one’s cybersecurity environment, and strategic approaches to mitigating risks.

Key Takeaways

1. Persistent Threats: Log4j and other older vulnerabilities remain a significant threat due to their widespread use and the challenges in patching them.

2. Importance of Network Awareness: Understanding your network environment is crucial in identifying vulnerabilities and mitigating security risks.

3. Virtual Patching as a Strategy: Virtual patching offers an effective interim solution to protect against exploitations while permanent fixes are being implemented.

4. Challenges of Shadow IT: The rise of unsanctioned applications and devices in corporate networks necessitates robust security measures and open dialogue within organizations.

5. Layered Security Measures: Implementing multiple security layers helps manage the influx of personal devices and applications, reducing potential security gaps.

Editor’s Note

We are about to kick off a mini-series with the folks over at ThreatLocker that walks through how an organization needs to operationalize in preparation for and during the adoption of a Zero Trust strategy. This will differ slightly from past episodes in that we are knocking down the walls of cybersecurity and looking at how other parts of the business will be impacted. If you have specific questions, let us know and we’ll build them into this three-part series.

Log4j: The Persistent Threat

Despite being identified nearly three years ago, the Log4j vulnerability remains a formidable threat to organizations worldwide. As Etay explains, this particular library is deeply integrated into various software solutions, often unknown to the organizations using them. This makes identifying and patching the vulnerability particularly challenging.

"One of the main reasons that it is such a big issue is because this is a lot of software library that is integrated into many different solutions," says Etay. "In many cases, organizations don't even know that they're vulnerable."

Log4j, along with other older vulnerabilities, continues to be a top target for threat actors, primarily due to its widespread use and the difficulty in effectively patching it.

From Q1 2024 to Q2 2024, Cato CTRL observed a 61% increase in the attempted use of Log4j in inbound traffic and a 79% increase in the attempted use of Log4j in WANbound traffic. You can read more about Log4j and other common vulnerabilities from the report.

Know Thy Network: A Key Defensive Strategy

A recurring theme in this episode is the critical importance of understanding your network environment. Both Etay and Neal stress that many organizations fail to have a comprehensive awareness of their systems, leading to prolonged vulnerabilities and gaps in security.

Etay emphasizes, "Do you really know your environment? This is a tough question, and it's getting tougher with the expansion of remote users, cloud applications, and third-party integrations."

To mitigate these risks, Etay advocates for virtual patching—a method that protects against exploitations without necessarily patching the actual vulnerability. This approach allows organizations to safeguard their systems while they work on identifying and applying the necessary patches, ensuring operations remain uninterrupted.

The Shadow IT Phenomenon

Beyond traditional vulnerabilities, the rise of shadow IT presents a new layer of complexity. Shadow IT refers to using information technology systems, devices, software, applications, and services without explicit IT department approval.

Etay brings attention to the unchecked proliferation of AI-based applications and other unsanctioned software within corporate networks. He shares an eye-opening example from Cato Networks’ research, where TikTok ranked high in network traffic for corporate environments, raising serious privacy and security concerns.

"Without even going to the discussion on whether TikTok is malware or a legitimate app, are you happy that this is on your network?" questions Etay.

Neil concurs, highlighting the necessity of layered security measures to manage the influx of personal devices and applications in corporate networks effectively.

Practical Tips for Mitigating Risks

Throughout the episode, practical advice is shared on how organizations can better manage these persistent threats. Here are some key takeaways:

1. Perform Regular Network Audits: Continuous monitoring and auditing of your network are essential. Knowing what devices and software are part of your network enables quicker identification of potential vulnerabilities.

2. Implement Virtual Patching: Use virtual patching as a stopgap measure while working on permanent fixes. This helps mitigate the risk of exploitation in the short term.

3. Encourage Open Dialogue on Shadow IT: Foster a culture where employees feel comfortable discussing the tools and applications they need. This transparency helps the IT department provide secure alternatives and mitigates the risks associated with unsanctioned software.

4. Leverage Strategic Threat Intelligence: Utilize insights from industry reports, like the one provided by Cato Networks, to stay informed about the most exploited vulnerabilities and emerging threats.

By focusing on persistent vulnerabilities such as Log4j and the emerging challenges posed by shadow IT, organizations can adopt more robust strategies to protect their environments. The key lies in maintaining thorough knowledge of your network, embracing innovative patching methods, and fostering transparent communications within the corporate culture. Stay vigilant, informed, and proactive to safeguard against these ever-present threats.

Thank you for joining AZT, an independent series. For more detailed insights from our episodes, visit adoptingzerotrust.com and subscribe to our newsletter.

Show Transcript

This transcript was automatically created and is undoubtedly filled with typos. As usual, we blame the machines for any errors.

Elliot: Hello, and welcome back to Adopting Zero Trust or AZT. I'm Elliot Volkman, your producer alongside Mr. Neal Dennis, your host, the guy who actually knows what most of this is actually about. And today we're going to be revisiting something that even though it's not necessarily in the largest of headlines, still in some headlines is still an issue.

It's a pretty common thing that we see for most vulnerabilities and issues. And it's a pretty common thing that we see for most vulnerabilities and issues. But fortunately, we have an expert who recently released a report on that situation who's going to be able to walk us through that. And of course, what I'm alluding to is the lovely log4j situation which has never really gone away.

fortunately, we have a time mayor from kiddo networks, who I believe is the chief cyber security strategist now. And you are part of the recently released report that reevaluates and get the pulse check on the current state of long for J and how it's impacting organizations. Before we get necessarily to the report itself, and some of the findings that you have.

Okay. Hopefully most of our listeners are very intimately familiar with that situation and the patching and the vulnerabilities associated with it, but maybe you can give us a little bit of a history lesson and a reboot of why it was an issue, you know, several years back and then we can kind of pick it up to current day.

Etay: Sure. So first of all, thank you for having me on. So the log for J vulnerability was identified in December, I believe, three years ago, roughly December 11th, if I remember correctly. And one of the main reasons that it is such a big issue is because this is a lot of software library that is integrated into many different solutions.

And so we So in many cases, organizations don't even know that they're vulnerable to this specific export because it may be nested within a software that they purchased or is used by you know, a third party that is in their systems. So it's hard, very hard to identify all the vulnerable systems.

And the number two is, you know, number one, it's, it's, there's a vulnerability. Number two, it's super popular. It's everywhere. So the combination is kind of a lethal mix in terms of vulnerabilities and exploits.

Elliot: So I'm curious from your perspective, since this is a nested issue and it requires a certain level of maturity and, you know, knowledge from the organization who owns the library itself. From your perspective, typically, where is that vulnerability or issue flag? Does it come, is it like a two way street?

So the owner of the library will hopefully be the one to identify it, patch it, and update it to the current version? Or is it like a third party, and we have like supply issues, supply chain issues involved? Where, where does that usually originate?

Etay: So if we're talking broadly about vulnerable software, you know, first of all, I wish there were no issues, but if there are that the person who created that, that software would actually alert and patch it. You know, when you think about it, though, a lot of times these things tend to come up in the context of a breach.

And when you talk about a breach, there's usually only three ways that a breach gets detected. It's either you detected. Either somebody told you about it, mostly like law enforcement, probably. And number three is the criminal or the attack group tell you that, Hey you've just been ransomed give us the money.

So those are the three, and unfortunately, we see it in the other way around, right? Mostly it's the third option, and then the second option, and then the first option, in terms of how likely are they to happen.

Elliot: that in mind, and that lens, it sounds like it's a pretty reactive function, which brings us to the current state and the report that this is still impacting organizations. If there's not really a whole lot of attention being raised, this report obviously helps bring that back into the limelight.

You know, how are you seeing organizations trying to deal with it today? Or is it just kind of, you know, neglected. What, what is essentially containing the report that's identifying? Is there an increase in exploitation of it? Yeah, maybe give us a little bit of a rundown of what the current state is.

Etay: Sure. So a little bit of background. So the report we're referencing is the Cato 2024 Q2 threats report which we released. And we look into a lot of different topics in these in the report, the quarterly report. One of the topics is indeed the most vulnerable, the most exploited vulnerabilities that we see out there.

We Cato. For those who don't know a sassy provider the leader according to the magic quadrant we have over 2, 500 customers So we look into the networks and see what is really happening on these networks. What a threat actors really trying to do The reason I'm emphasizing this is there's a lot of discussions about zero days and the number of vulnerabilities that you can protect from.

And don't get me wrong. I mean, you say zero day, I won't shut up for about two hours. I love talking about these things, but I'm trying to look the truth in the eye and see what is actually being done. And I was shocked to see that the top 10 and actually even more, we only talk about the top 10 in the report.

Vulnerabilities being exploded are not very new. They're pretty old ones. I mean, log4j is three years old, but I mean, I've seen vulnerabilities there that are seven years old, ten years old, that threat actors still try to exploit. Why? Because it works, apparently, for them, for some, you know, and then we have to ask ourselves, why does it still work?

And what should we, what should we focus on? And unfortunately, again, log4j is one of those vulnerabilities, along with several others. That are harder to find and harder to patch because you know, I don't want it to come off, you know, Hey, tie the security guy says secure everything and you'll be fine.

Yeah, it's really easy to say that, but the reality is it's not easy to identify. Some systems are even hard to patch, even if you know that they're vulnerable. If you're thinking about critical systems, right? And if you patch them and something breaks along the way and you know, systems go down. So that's, that's another kind of like risk.

So there's, there's a lot of issues around the identification, but then also what do you do about it?

Neal: the fun part about this is, you know, you're spot on, right? On the respect to the, the efficacy of old things related to threat actors and what they're wanting to do. I always find these reports fascinating for that fact alone. They obviously would not put them in there.

If they're not still getting some kind of success, right? Because some of those things could potentially kick off alerts in certain security stacks that would keep them from being able to go further with other stuff. So for them, the wins are still there relative to that exploitation path, so they're obviously still using it.

And the other fun part of this with Logforge that you're talking about, the whole SBOM piece. I'm hoping we can kind of go down that rabbit hole a little bit as we get through this but On that note, you know, is this, I, I'm just for clarity up here for everybody listening, are you seeing log four, just like the number one, even though it's still in the top 10, but is it up there in the top five kind of exploitation attempt paths?

Is it down at number 10? Have we seen it go up and down a little bit or, you know, what, what's the historical path that you've seen? Is it's like top of the tier or is it starting to kind of wane a little bit?

Etay: I mean, it's still top of the tier. You will get get occasional spikes if there's a new vulnerability that, you know, a lot of threat actors will want to use. They'll just put it into their scanners. They'll put it into their systems and try to find the vulnerable systems to exploit them. But this is like the, you know, those that are said, but true from italica, like it's been in the charts for forever.

It's not going anywhere. Same here. It's in here. It's still top, top of the chart. It is still up there again going back to that kind of lethal combination of super popular. Hard to patch, hard, hard to catch in some, in some instances. And yeah, the threat actors are relentless. I mean, we still read about different, unfortunately, a lot of them are, are ransomware attacks that are using this specific vulnerability in order to, you know, do, do their thing, so to speak.

And I think it also speaks to when we talk about these, these breaches, about the fact that We need to pay attention to the entire security stack. And one of my kind of like pet peeves when we talk about security is you read these articles and they say, you know, company X was breached because of vulnerability.

Company Y was breached because of password. Pro company Z was breached because of I don't know, misconfigured firewall. But it's, it's never just one thing. It's never just, oh, we were vulnerable for a log for J and that's it. Because. Okay, that's how they got in. But what happened after that? How come they weren't detected on the network?

How come when they downloaded the payload that wasn't identified when it was exposed on the network? Why was that not identified? You know, one of the things I really don't like is the saying that the attacker needs to be right just once the defender needs to be right all the time. The attacker needs to write a lot of times and we should pay attention to the initial access, but also all There's a lot of other opportunities in there to also identify the breach that started with this vulnerability.

Neal: Yeah, I think. I'm going to go back on a few other things here in a moment, but I think the exploitation path is a very fair call out. You're right. There are plenty of steps beyond initial exploitation where you could have mitigated the larger threat and a lot of people tend to forget about that. Now, hence this podcast.

This is part of the discussions we've had and like to have is why Zero Trust as a construct is so important. You know, potentially important for implementation because just because I get one server doesn't mean I should be able to get everything, right? And unfortunately, log4j, Apache Server Base, once you get through that, most people still have that backdoor wide open with no other gateways in play, right?

And just to iterate on this, I think that's part of why log4 is such an issue. Aside from its persistence, it's obviously because of where it's stationed and what makes it so popular and what you're taking advantage of. You know, this is a server side exploit that, that, that toolkit is, like you mentioned, exceedingly persistent in almost every version of Apache that you could ever hope for.

And then other things, so that's the other part. People look at it from the Apache server space, but there's other ways to get through. When you think about This exploitation path, when you think about log forage and other stuff like this, these long term persistent exploits, what are, what are some of the things that people need to really maybe put resources towards other than, than blatant mitigation of log forage, but what are some ideas on how to find this or what should they be considering from a resource perspective to actually take care of this and maybe some of those other persistent things?

Etay: So one of the methodologies that I personally am a huge advocate of is virtual patching. And for those who are not familiar with virtual patching, there's some really good articles that define it and explain how it's being done. But virtual patching is the action of protecting against the exploitation without necessarily patching the actual vulnerability.

So what you're actually doing is you're identifying the attack that the attackers are taking or the exploitation that the attackers are trying to perform. And you're stopping that essentially printing like this, you know, Detective shield around your your network. So while you are still vulnerable, and it's very important for me to, to emphasize this, you may still be unpatched.

You're not letting the attack in. And that is something that I think is a great approach because, again, it allows the the The target of the, of the attack in this case. To take their time, identify the vulnerabilities, identify how to patch them, not break stuff, test it, and so on, knowing that they're protected from the actual vulnerability from the actual exploitation.

Just for the sake of the example, that's exactly, you know, that's, that's what we did with this within 17 hours and 40 minutes, if I remember correctly, from the point that it was released, our customer, it was an on issue for our customers. And and it really hurts me because you know, we were talking about this before.

I mean, you see literally on a daily basis. You see exploitation of this was something that could have been avoided. So that's that's an area of that. That's one area that I think is very important. Virtual patching. The other area is really something that I mentioned before, and that is focus on the exploits that matter and not the latest and great, not just the numbers or or even the most recent.

Look at the end of the day, there's only so many organizations with limitless resources. It's like the top five banks, right? Everyone else has some limitations and they need to focus. And as much as I like working and talking with the large organizations, you also have to keep in mind the very small ones, the ones where the I.

T. Guy is the guy who does the the the firewalls and the tickets. And, you know, it's all on that one person that runs a small shop. And so While I would like you to have be able to do everything, it's it's not practically possible. So focus on the ones that really matter and don't just go with solutions or approaches that say, hey, we have 10 million vulnerabilities that we are, you know, whatever ludicrous numbers.

Yeah. But the ones that are important to me, the ones that I have, the ones that the attackers are using, show me those.

Neal: Yeah, I think prioritization is a big thing for a lot of companies, like you mentioned. You're right. Having worked on that side more often than not, the latest and greatest flavor of the day comes out, and leadership is oh my God, have we patched this? It's not even in our environment. Why are you calling me at 7 a.

m. on a Saturday morning? Oh, I'm sorry. No, you're not. You just read a news article, and you bought into the doom and gloom speech by some vendor who said they could fix it. Thanks. With that in mind, knowing your environment, right, is critical. And the smaller companies like you're referencing, you know, I, I would say personally that if you're in the fortune 2, 500, give or take a little bit, you should be able to afford some modicum of S bomb approach and, and resource management and control on that.

Maybe not. Full efficacy because I also saw a stat a while back that the average Enterprise agency has somewhere north of around 1, 200 Various vendor type solutions within their larger corporate environment whether that's a simple software suite on a laptop Whether that's an actual log forge enabled Apache server things like that But some 1, 200 plus vendor related products minimum within their stack of IT so Understanding the entire S bomb of all of those is probably never going to happen even for the fortune, you know, 50.

But I say all that because back on S bomb I, I think having the right relationships as a small company with the companies that you're attached to that are way larger than you. And Letting them know that you're part of their exploitation path, especially if you're providing a service might help you get some more credit and clout downrange for them to help you maybe even a little bit.

So from an SBOM perspective do you think that there's ways to, to drive that home? Do you think that would be an effective approach specific for these types of exploitations? And do you think it's worth the energy to create an SBOM if you're a smaller company or request SBOM from those vendors at large and spend all that resource?

Around all of this. Yeah.

Etay: do that with us. It's such a it's such a deliberate and such a heavy process to do. If I'm honest, the large organizations are having some issues with with doing as bomb as you know, as you'd want them. There's a lot of discussions around what is the proper way to do it and how do you handle this this process?

Actually, one of the things that I do is I'm also part of the RSA conference committee and I can tell you we. We talk about that a lot when we receive presentations, and that's one of the topics we want to discuss, but it's, it's not an easy discussion. And just to make things even more difficult, you touched upon a topic that I, I really think is important.

And that is, you said, know your network. Do you know your network? Do you even know your environment? And, you know, I come from the world of, of doing adversary simulation, attack simulation, and breach preparedness, and. I used to tell CISOs and this, this happened a lot, you know, if I asked a CISO or an IT manager, what does your network look like?

I know what I'm going to get. I'm going to get this, this visual file and I'll see all the routers and everything would have nice lines and everything would be organized and really nice. But then if you ask a red teamer, what does that environment look like? Hopefully a red teamer, not the threat actor.

And they say, Oh, well, there's this you know, unmanaged router that I saw that somebody installed in the office. Or I saw this user that somebody didn't close when the person left the organization. Those are my way in and you'll never see them. So do you really know your environment? And one of the topics that I touch upon in the, in the report that I mentioned before is also, which applications are running in your own environment?

And I want to give two examples, if that's okay. Last year, I was actually shocked when I did the, the review of the whole of, of last year I was looking at about 1500 different applications that we were monitoring on customer networks and the top five would be the ones you'd expect, you know, Microsoft, Google stuff.

But then number 23 on the list in terms of amount of network traffic was tick tock, I was like, On corporate networks. What is that doing there? Now, without even going to the discussion, whether it's tick tock, a malware by some government or is it a legitimate, you know, are you happy that this is on your network?

Are you aware of the of the problems this might cause privacy security issues? And I'm seeing the same thing now again, because I specifically looked in this report into and I don't mean to derail this. Conversation. But I will mention this. I looked into what is now referred to as shadow AI, right?

AI applications, hundreds of AI based applications. And again, are you familiar with these things that are running on your corporate network? A lot of them are like health trackers and kids, stuff that kids use. And now you're talking about all kinds of issues. So do you and going back to your Going back now to what we started talking is, do you really know your network?

Do you understand what is going on there? And that's, that's a tough, that's, that's a tough question that I feel is getting even tougher because, I mean, you know, this 15, 20 years ago it was, oh, I have my perimeter, you come into my office, I can control everything. I have everything inside my perimeter.

Everything is, is, I can see it. Now you have remote users and cloud applications and, and third parties and, and you are. inheriting their, their security posture and you're responsible without being able to fully control it.

Neal: Yeah. I will say that this is a very relevant part of this topic in my opinion. Why Logforge is still there is because people don't know what the hell is going on in their, in their networks the right way. And I also want to put a line in the road. SBOM versus Network Awareness and Resource Awareness, two different things.

And at the end of the day, you need one to get to the other, technically. And the other one gets you a lot more. But SBOM, massive workload. And this is why I was asking about it, because I think, I think it's important for critical resources. At your, at your company to understand what the SBOM is for very critical things to use.

So whatever your risk profile is, if, if an Apache server is what's keeping your website live, and keeping the dollars rolling in for your PayPal payments or whatever it is you're using, you should probably know everything you can about that entire solution SBOM wise. If it's a, a website that people use to come and look at your latest and greatest news, but it's.

It's only getting hits once a week, probably doesn't matter as long as it's not connected. As long as you know that it's Apache, and when someone mentions Apache, you know to go look, but you don't need to know the full suite until it becomes problematic. So awareness of what's there versus SBOM, for those listening, big differences.

Knowing your environment versus knowing the SBOM. Know your environment at the very least. Know what's actually hanging out out there. And then back to your point about network awareness and the infrastructure. I'm going to go down that one because I love this stuff. The tools, the AI, all the fun things we're bringing from home with us.

And you're right, it used to be as simple as put up some kind of DNS resolution and people who were smart enough to practice a loud list versus, you know, a blacklist, denied list, things like that. I think that's where people need to get going too again. And once again, back on Zero Trust. I, I should not be allowing people to connect to my network and have every single one of their apps also be able to connect through that network.

If I've got the right DNS resolvers and some other things in play, that phone should only be talking to my Outlook server at that point and whatever else is required for work if you're doing your job right. So I just want to iterate your points on that because I, I do think it's critical and difficult.

So know thyself, right?

Etay: Yeah. And, and, and when we have these discussions with organizations you know, I'll give an example that I, I, I used, I used to show all kinds of you know, gadgets, you know, the rubber duckies of the world and how to use them, one thing that I didn't like when I used to do these demonstrations is you'd show like a rubber ducky to an organization, say a midsize organization.

And they were like, okay, no more USBs in our company. That thing is scary, no more USBs. I'm like, that's not what I really meant. Because you have to be very careful when you block, completely block stuff. All of a sudden, everybody becomes a hacker. And what you'll see next is, you'll probably see presentations and corporate stuff on Gmail going to drives that you're not familiar with.

And I see you're laughing, you're like, You know where, where, where this is going. And And so the approach to it can be kind of a multi tiered approach of Okay, what do we do with all these different applications? And I look at it and say, Okay, you could go with a complete blacklist. And right, let's take the example of an I don't know, whatever, an AI tool.

And you can say, okay, yes or no, I want it or don't want it on my network on my you know, allow it on my network and then you can go a level down. You can say, you know what? I'm not going to block, let's say Chad GPT, right? I'm going to allow you, but I'm only going to allow you using you know, an corporate user, not your private user, because that one I can monitor and I can control a little bit better.

So that might be a choice. And then you can go down another level and you can say, you know what? I allow you to use this application. I allow you to use your own user. But there are certain actions that I'm not gonna allow you. For example uploading files. That's, that's too risky from our network.

And then you can go another level down, you know. I'll allow you to use that, that application. I'll allow you to use your own user. I'll allow you to upload files. But you can't upload files that contain, you know, HIPAA information or PCI DSS information. So you're going into kind of like the DLP space.

But organizations, they can, they can, they have, there's controls that you can use to kind of decide where, where is. Either your depends how you look at it, your level of comfort or what is your risk appetite, you know, with these different applications. But it goes back to the same point that you mentioned before.

You have to know that these things are there to even start that discussion.

Neal: I think this day and age with the BYOB and BYOD piece especially as corporate life gets back into the office space post, you know, all this other fun stuff. The, the individuals, myself included, if you put me back in an actual office space, I'm just gonna be just as bad when I'm sitting at home looking at my damn phone when I don't have a meeting.

But, understanding that current user base needs that type of access, right? Or to your point, they'll find ways to do it that aren't going to be gated the right way. And I am just as guilty as the next one for all this stuff. If you can't give me some kind of public drive in whatever service we're using, I'm gonna go start up my own Gmail account and do that if that's what I need to get my stuff to my client base, right?

The one thing I like, and we did this in the military even back in the early 2000s, when internet cafes were still kind of a thing. And you would have all of your normal network space. We didn't have to worry about cell phones. They weren't allowed where I worked working in skiffs and stuff. But they knew that people still needed to connect to the dot com world, and so they started standing at these little small internet cafe type things on, in our facilities.

And so you'd go out of your secure space into another space, and that network that you were logging into wasn't the actual unclassed network. It was a segregated, just go do internet things network, holistic gateway, holistic security policy and protocol. Now I do see this at some enterprises today, where they purposely do that, right?

So they gatekeep what they need to gatekeep. They put in these different echelons, like you're talking about, to give people some flavors. And then they say, you know what, at the end of the day, Here's, here's this unrestricted or somewhat less restricted public Wi Fi space for you to log in through and go do your TikToks to your heart content with your own private stuff.

And then they block access through corporate layer on that. So I think that's the thing people need to remember. If you're having your employees come back, especially post COVID stuff, that phone is not going anywhere. And their desire to do their TikToks and their other fun stuff at work is not going to go anywhere.

And then that brings you back to the exploit path. How do you control it without them becoming little hallway hackers?

Etay: You brought back some memories. I think we might have some similar background in terms of military. We would secure these facilities and then you'd have an officer come in with like a Like a Fitbit or something on their chest and they're like running around the base or doing whatever and like Dude, this is supposed to be you know

Neal: Oh my God. I remember those. That was a fun one to read about with the overseas places where they were doing the Strava.

Etay: Yeah Strava heat maps and stuff like that. And by the way, see this is another another thing So it's it was in the news about Eight years ago, and then I read about it again Three or two or years ago. I'm like didn't didn't that happen like almost a decade ago. How didn't you read the article?

Neal: Yeah. Well, so let's get talking about your exploitation footprint and I'm going to wrap myself out here. I bought a watch that at the time was probably the Had the highest battery life and performance ratio for, for those, those fitness things called a KOROS brand. This is not me saying go buy KOROS.

This is me saying don't. Even though I still have mine. The watch performs beautifully for those looking. And my advert link will be down here in a little bit. No but I didn't realize, I didn't do a whole lot of research into the company. A lot of athletes that I was looking at, and this goes back to why people are doing TikToks and exploitation paths.

It's the weird things you don't think about until you have your guardrails up. I have guardrails here at my house. I have DNS resolution. I have a bunch of other things. I have my own snort box. I have all these things. Paying attention to some of the lowbrow things because that's what you do when you have guests, kids, and other weird people using your internet.

And I didn't realize that Khoros itself is a Chinese company. I go in to look at my, my logs. And I see all these, these resolution requests from my phone, for the app, out to China. Alright, out to Alibaba website, or space, server space. So I got worried for a few minutes. I went through and ripped apart everything on my phone, cause I didn't realize it was that damn app.

Because the referral link did not show that it was coming from the Khoros app, and I couldn't figure out what app was doing it. And then once I figured it out, I ended up finding some good resolution on the websites, or the URLs that it was trying to reference back to, but it was like eight layers deep.

All that's there. People download weird things like that. People do stuff like that. And the only reason why I caught it is because I had the right guardrails. So that app doesn't exist on my phone. It exists solely as an actual watch. I don't use any of the apps that go with it. I don't touch it anymore.

We can discuss why I don't like that, other than China. But, point is, I didn't know. And I wouldn't know unless I had the right guardrails, right? People bring stuff into your workspace like that all the time. I don't know. And that footprint is massive, way more larger than people anticipate. And we are always playing catch up.

And Log Forge, back on that, is a great example. We don't know what's there because we don't have the resources or the time to go find it.

Etay: Yeah. And I think you did something very similar to what I did. I ran a practice at home of I wanted to see how many Bluetooth devices I have at home and I counted them and I think I counted like 13 or 14 and I opened a hacker one RF. You know, one of those devices. I was so off. I didn't realize that my dishwasher had bluetooth capabilities.

I'm like, why does it? Why does it even have that? By the way, a reverse of what we're talking about, not a reverse, but like consequences of different devices and vulnerabilities. A couple of years ago, I remember I don't know if you remember this. They had a problem with, I think it was an update to the Garmin.

We're talking about smart watches to the Garmin watches and the implications of that turns out that Garmin also provides maps to, to pilots. It's also the Air Force pilots have Garmin watches when they jacked and it's okay, so we can't use that. So Like the consequences of, of these things that we need, you know, about asthma before, how do you factor in so many different elements into your operational, you know, operational situation.

Neal: Yeah. Now, I think back on the asset awareness and resource awareness, and for those who are listening that are fretting over SBOM and the fact that we keep mentioning you might be having a heart attack, I don't think either of us are saying that you need to go out and do SBOM. I think we're saying At the very least, though, you do need to expend resources knowing your base environment.

So when something does happen, then you can go worry about the SBOM for that tool if you really, really have to. And this comes back to relationships and criticality, like I mentioned earlier. If your risk profile says server A is more important than server B, you've probably mitigation strategy and some monitoring strategy, hopefully around server A to help with whatever that risk is.

And like Etai mentioned earlier, virtual patching, I love that. I think people don't realize how often that actually happens across all sorts of products. If you get behind all those and you, you start really hitting them directly, you'll find out most of your software providers have done exactly that for a large swath of things.

Mitigations are there, the awareness is there, but the patches, the actual features, Fixes to those vulnerabilities are not there because if they apply them, they break your entire tool stack, but it doesn't mean you're not protected. It just means that, that they've done a good job at monitoring for that, that issue and are stopping it before it gets there.

And I think that's the key thing. S bombs are important for very specific things, but as best as possible, awareness about your environment is very, very critical when things like a log forge kick off and back to your report, people don't know they have Apache still. People. Still don't even realize that that's even a resource in their environment.

And that's, to me, is the real issue. It's just that awareness factor. Yeah.

Etay: further, one of the things that kind of I don't want to say, I fear it, but it's something that I think is really worth looking into. A different vulnerability that was discussed actually this year, because a lot of times I'm being asked and talk about open source, you know, the X, X, Z, where you had a thread actor that was willing to, to be there for two, three years in the system and wait until you know, exploiting something like that.

And I think we got really lucky with that. I think it was a Microsoft employee from Italy, if I remember correctly, like smart guy that actually identified. I was like, wow, we're so lucky. But now you have threat actors who are willing to say really, this is the very, you know, slow and, but, but consistent, consistent threat that's out there.

Neal: No, that's a very fair call. And thinking about your personal risk profile versus the risk profile of upstream and downstream products that you're attached to or enterprises you're attached to providing resources back. And this is something I try to drive home with everybody. If you are tied to someone else who is considered a possible target of any, pick a flavor of APT in particular, congratulations, chances are you're also being looked at from an exploit perspective, and people will do that.

Threat actors, you know, the, the tier one ish APTs mean time to dwell is years in most cases. Well over a year, at least, in many cases. And when you're looking at what's going on in your environment, if you're tied to, let's say, a Fortune 100 company as a primary resource, I guarantee you, you're being targeted.

Especially if you're a critical asset for them, or, at the very least, a direct vendor provider of some sort. And you've probably been pwned for years, and they're just waiting to find that one critical exploit that gets them through your stuff into their, like SolarWinds, You know, SolarWinds is a prime example of that.

Etay: You just touched upon something that is very important for me because I think you know, I look at these graphs and the dwell time and I think those numbers are a little bit skewed. We talked about it at the beginning, right, that there are three ways to be, to identify you've been attacked. Either you identify it, somebody tells you, or the threat actor tells you.

And you look at the mean time, like people will say six months, eight months, I see the number going a little bit down and people will say, oh, we're doing a better job. I don't think so, actually. I think a lot of the cases. The ransomware group will tell you, Hey, you've been ransomed. And then it's Oh, they've been six months.

Yeah, but they could have stayed, like you said, two more years if they didn't let you know, because they needed the money. They wanted to get the money. And so the number is a little bit skewed because the threat actors are actually exposing themselves. It's not like we're exposing them. They're exposing themselves.

That's why the mean time is going down. And yeah, And another topic that you mentioned that I think is very important is that now the discussions with, you know, we're talking, we're talking to something super tactical log4j and how to identify the vulnerability. But CISOs today don't have, so to speak, the luxury of just doing tactical stuff.

They have to be very strategic. And now you have the CISO who need to understand also, Geopolitical conflicts. Hey, there's a war between this country and that country. The other country sees you as part of of that stack. And now you're gonna be a target because guess what? In war, it's tanks against tanks and fighters against fighters.

In cyber security, it will be a government versus, you know, that water facility or that bank or that private business. And now you have to have that kind of view. You have to have a strategic and operational and a tactical view. You can't just do one.

Neal: Oh, I'm gonna toot my own horn for about a half a sec. I don't do this very often. Usually Elliot's trying to do that for me, because I self deprecate too much. Many, many moons ago, about, seven, eight years ago I wrote a couple of different articles on geopolitical situations and, and cyber exploitations.

Some of them were, one of them was focused on Iranian exploitation with Shimon 2 and then eventually Shimon 3. And when that first kicked off, why it was very obvious that it was them before we knew it was them geopolitical situation said so very, very quickly and history said so, but more aptly, everybody got up in arms.

About, it was about seven, eight years ago, and we had the what was it? The OPA breach, the government healthcare and, and records piece. And then following that we had I forget which airlines, United and maybe I think it was United and someone else had a massive breach perpetrated by Chinese APT as well.

All within a couple of months, right? And everybody came out and was saying, oh, they're doing that so they can track CIA and blah, blah, blah, blah, blah. And the funny part about this was, if you actually looked at the larger geopolitical situation, you would realize that this isn't trying to focus on government accesses and trying to track someone with a clearance.

It was focused on enterprise, business, commercial, private stuff that they were doing there because in their five year plan, they stipulated that airlines and healthcare growth and a capability internal to them to match U. S. and Europe for that scalability and scalability. Was one of their primary goals for that current five year plan.

They had crappy airlines, they had crappy global healthcare systems. So what do they need to do? They need to learn how to set all that up. They go and exploit systems that show them how to set those databases up. And boom, they rinse, lather, repeat and do what they do best, which is copy IP and do it for themselves.

But everybody was so up in arms that, No, they're doing this to go out and make money and track everybody or whatever else. In reality, they're just doing it to support their own private business. So that, that awareness factor and that geopolitical situation, if people pay attention to the larger story, once again, helps you figure out if you are going to be a target.

It helps you figure out if your tie ins left, right, vertical, what you're doing mean you're part of the exploitation path or part of the war path piece being exploited simply for data or to get somewhere else, or if someone's blatantly going to come to you because you are a critical asset, like a solar winds or a log forge and use you to cause global catastrophe.

Etay: Yeah, I mean, I had a little bit of goosebumps because I was at, I worked at RSA when the RSA breached for those who remember happened a while back. At the time, I think it's now, I think it's public knowledge now that the, what was attacked was the secure ID number

Neal: Oh yeah.

Etay: And that ended up with we weren't, we were, we were just part of the attack that actually was later used against Lockheed Martin to, you know, boycott.

The result of what happened to me 14 years ago is probably the J 20 that we see today. Erica. And yeah, and now you are part of something that's even even bigger, even bigger than that. And by the way, this also reminded me of another kind of defining moment in my career that was definitely defining one for me in cyber security.

Another area was the understanding of what are your crown jewels? Because you mentioned Neal before, you know, Hey, identify that server that is important. I remember one of the things that kind of got me thinking about how to even identify the crown jewels was the Sony breach where the most damage wasn't through like movies that were stolen or anything like that.

It was the emails between the executives talking about the actors and how much they make. And I'm like, I don't think in any simulation, breach simulation, that would be identified as, Hey, that's going to give us the most issues later. So it's, it's, it's definitely a tricky situation.

Neal: Yeah. I mean, yeah, I love this. The, as an Intel analyst, one of my biggest goals in an enterprise layer is to find out what the C suite thinks is their risk profile. And each person at C suite should have something slightly different to say. It all ties back to money, right? But it's from their perspective of what they think impacts the bottom dollar.

And, you know, you go ask a, a CFO. You know, what they think is the big thing, and depending on how your CFO is aligned, or if you have a CRO versus a, you know, depends on your financing setup, that CFO might be more fixated on just uptime and availability of whatever they're providing, if it's an IT company versus a physical product, but a resource officer might be more focused on actual Like the Sony breach might be more focused on how they're managing money with their third party accesses and things like that.

Maybe it doesn't matter, but they're all going to have a little variation on what they say. And then as an Intel analyst, my job is to take those, those, that risk profile that's defined by the board and senior leadership and figure out a way to turn that into requirements for my technical. downrange. So whether it's physical or digital related security issues that would get me as a threat actor to impact those risks that were discussed, I could turn those into a potential dollar value to go get resources from my security team.

But to your point, you're never going to find it all. That's where things like for at least cyber, where things like MITRE ATT& CK Framework come in hand where you can say you told me this was a risk but I have absolutely no coverage for this column whatsoever. Don't. This is a soapbox moment. Miner's great at fingerprinting threat actors, but that's not why it was created.

Use it to identify what you're missing in your security procedures and policies and resources to help drive the rest of the requirements. So that, that is my Intel Analyst 101 speech for the day. Get requirements from your board of directors. They're never going to be right about everything, but at least you've got your ass covered for when they're wrong.

Etay: It's funny you mentioned this because I teach a course here in Boston at Boston College on cyber security and I teach the MITRE framework and the case study that I use for MITRE framework is actually gap analysis. I ask the students to take this, show me where your defenses and then layer over the attacks and then start looking at the gaps.

That's what you really want to pay attention to. You know, take. You think you're gonna and here we're going back to that question. Oh, I might be targeted by an Iranian threat actor. Okay, so take oil rig and APT 34 or 36. I can't remember. Put them together. See what are the common fingerprints, but then layer over that the solutions that you have to understand where are the gaps that you need to, you know, look into before they look into it.

Neal: yeah, I mean, spot on. That's exactly why that framework was created. It's coincidental and, and nice that you can use it to fingerprint a threat, but the idea is to fingerprint what you've done wrong.

Etay: Yeah.

Neal: What you haven't done yet. Yeah, that's a whole other fun topic about procedures and stuff like that, right?

But.

Etay: complete. Sorry for stopping. That's why I think it's never completed. One thing that I like is doing the You know, you can use Caldera, Atomic Red Team, you know, start punching the holes into where you're not sure, you know, where you stand and take those micro procedures and, oh, you think you're protected from WMI based you know, okay, let's, let's run a test.

Let's see. You know.

Neal: Well, that gets us right back to know thyself, right? Like you mentioned, this is whether you're trying to map out risk and, and risk mitigation profiles and strategies for the things that you need to cover down on that you don't have resources through MITRE, or whether you're just trying to figure out what the heck's on your environment, because part of that gets you to both sides of the coin. It comes back once again, the reason why log forge is so popular still, because people haven't had the chance or the resources to do exactly this. And next thing you know, someone gets in and ransomware, since that is still the massive flavor of the day for what most people are taking advantage of. And in my opinion, you're lucky if it's ransomware nowadays and just ransomware, whatever they're doing from both you know, legit ransom versus blackmail versus the rest of it.

I think if, if a couple million dollars worth of ransom is the least of your problems during an exploitation path nowadays, you're lucky because an APT legit state sponsored threat could have taken advantage of the same thing. And back to meantime to dwell and respond to all this other fun stuff. Been there for two, three years, sucking down IP and building the next J20, right?

And you not even know. And so I think. Double edged sword, but we're fortunate that monetization of these exploits is so popular in the cybercrime world versus monetization at the moment through APT as a primary, because one, in my opinion, you lose a lot more money long term than just getting ransomed.

Yeah, there's brand wariness and all this other crap that happens when you get popped, but I would much rather say I had to pay a million dollar ransom than three years later say China's been sitting on my network for three years and lose all of my contracts and every work that I've been doing with anybody else up downstream.

Etay: Yep. Kind of sounded better. Yep. Yep.

Neal: so coming back around final loop, the, the Logforge SBOM versus just know thy self awareness stuff. Critical assets and features, all these things playing a part of at least trying to keep yourself from being the next ransomware victim, the next APT target, but more aptly, I think paying attention to the list like y'all are providing specifically.

I love seeing these lists. I love seeing the research that goes behind these when, when vendors and researchers provide this type of insight, because if it's in that top 10 health, it's in the top 100 with people put out a more exhaustive list. Every single thing on that list should be something I'm scanning for in my environment the moment that list hits.

And if you're not, congratulations, it's probably there. Especially these popular ones. And unless you know for a fact that you've already done a mitigation strategy against it, you should probably go look. It's kind of my leftover two bits for that piece.

Etay: Awesome. And yeah, I think you know, what we try to cover in the report is, is, is the vulnerabilities. It's the applications. It's, it's, it's the know yourself. It's looking into the, the different protocols that, that you're using, or, you know, another interesting thing that we saw there, for example, is inbound and outbound communication is most, in most cases by most organizations is being encrypted.

One bound communication is not as Okay, you might feel comfortable with your one bond, but so will the threat actor that will be in there if they get there. So that's an area to look into. So just a lot of different elements to look into that I think are interesting for organizations where you don't really realize, you know what is really happening on your network.

And we do this comparison, by the way, in the large numbers. I mean, we analyze 1. 38 trillion network flows for this quarter, but we also do it for different industries. So you can see trends over time for different industries and what, you know, what happens on their artwork. So just a lot of interesting points to look into there for those who are interested.

Elliot: All right, so that takes us to the end of our episode, the end of this conversation. But I have to say, and I'm going to toot Neal's horn as he likes to call it out for me, is that I think You know, we started on the topic of Log4J, but you all carried us down a few different strains that, frankly, we need to have more conversations about.

First, I want to revisit the importance of organizations like yours who are able to identify issues that are still longstanding, still impactful. Yeah, we'll see some coverage in the trade magazines. But the only reason I'm seeing any coverage in the trade magazines are because folks like you are, of course, putting information out to the world to ensure that we have that.

Thank you all, you all, to continue on that research and flagging and making it very clear that these are other issues. But some of these other things Neal and I just haven't really dug into are things like The shadow AI, frankly, not even shadow it part. Those are important pieces of the conversation.

So I appreciate that you're able to elevate that too, and knowing yourself and all that. But that said, I really appreciate you coming on, sharing a bit of your journey and your research and your information. I think that's super important for our listeners to be able to, again, revisit things that may have fallen off the radar.

And at least, you know, revisit some issues like log 4j. I think it was 2, 3 episodes ago. We had similar issues that were just targeting small businesses. I think log 4j was on that list among others. But again, thank you so much for your advocacy and being part of this, this system and community to, you know, help keep us all on our toes.

Etay: Thank you very much for having me. You'll keep seeing more reports coming out both strategic ones as well as tactical ones on threat actors and the different exploitations that they utilize. We'll keep seeing more information, but thank you for having me on.

Elliot: Excellent. All right. Thank you so much.

Announcer: Thank you for joining a Z T an independent series. Your hosts have been Elliot Volkman and Neal Dennis to learn more about zero. Go to adopting zero trust.com. Subscribe to our newsletter or join our slack community viewpoint express during the show did not reflect the brands, employers, or companies of our hosts, guests or potential sponsors.

Catch this episode on YouTube, Apple, Spotify, or Amazon. You can read the show notes here.

Welcome back to Adopting Zero Trust or AZT. In our latest episode, we assembled a distinguished panel to dig into a timely topic affecting the cybersecurity landscape but has the fog of war wrapped around it. Today’s conversation centered around the recent developments in cybersecurity regulations and their potential impacts, ignited by the Supreme Court overturning Chevron Deference. This, of course, has other potential impacts on all regulation types enforced and shaped by federal agencies, but our focus is, of course, on cybersecurity, privacy, and AI.

The Panel

We welcome back Ilona Cohen, Chief Legal and Policy Officer at HackerOne, who joined us last year to discuss the National Cybersecurity Strategy. Ilona is also the former General Counsel for OMB. We are also joined by the GRC meme king, Troy Fine, the Director of SOC and ISO Assurance Services at Gills Norton. Beyond the memes, Troy takes a practical perspective on regulations and acts as our voice for those who may be most immediately impacted.

Key Takeaways

• Chevron Deference overturned: The Supreme Court's decision removes the requirement for courts to defer to federal agencies' interpretations of ambiguous statutes and now relies on the courts.

• Increased regulatory uncertainty: This ruling may lead to more challenges to existing and future regulations, potentially affecting cybersecurity and AI policies.

• State vs. Federal regulation: The uncertainty at the federal level might prompt states to act more quickly on issues like AI and cybersecurity, potentially creating a patchwork of regulations.

• Impact on AI regulation: With about 40 federal bills addressing AI in the pipeline, the ruling could complicate the process of creating comprehensive federal AI regulations.

• Cybersecurity implications: Existing and proposed cybersecurity regulations, such as the Cyber Incident Reporting for Critical Infrastructure Act, may face new challenges.

• Business concerns: While some business organizations applauded the ruling, the resulting regulatory uncertainty could be problematic for companies trying to plan and comply with regulations.

• Expertise concerns: There are worries that courts may lack the technical expertise to make decisions on complex technological issues like AI without deferring to agency experts.

• Potential for innovation: The regulatory uncertainty might create a wild west period for AI, potentially fostering innovation before more stringent regulations are imposed.

• Self-regulation importance: In the absence of clear federal regulations, industry self-regulation initiatives may become more significant, especially in rapidly evolving fields like AI.

Editor’s Note

AZT does not take political stances, but as you’ll quickly hear in this episode, we do switch between legal, business, and some political opinions. Frankly, it’s difficult not to impose any bias on a discussion that has political implications. Still, I just want to reiterate that this is an important issue for CISOs, GRC teams, engineers, and cybersecurity teams who support maintaining compliance.

Revisiting Chevron Deference and Its Implications

This week, our primary focus is on the recent Supreme Court’s overturning of the Chevron Deference, a legal doctrine established in 1984 that allowed courts to defer to federal agencies’ interpretations of ambiguous statutes as long as those interpretations were seen as reasonable. Ilona Cohen provided a comprehensive breakdown of this landmark change and its implications for the regulatory landscape.

The overturning signals a shift where courts must now interpret statutes independently, possibly leading to increased regulatory challenges and uncertainties. This decision could notably impact sectors with rapidly evolving technologies, particularly cybersecurity and AI. One of the primary concerns is decision-making based on expertise vs. legal power, which is where politics come into play.

State vs. Federal: The Regulation Tug of War

Neal raised pertinent questions about the potential shift of regulatory power from the federal level to the states. Ilona and Troy discussed how this shift could lead to a patchwork of state regulations, complicating compliance for businesses operating across multiple jurisdictions. The conversation highlighted the balance needed between timely federal action and the proactive measures taken by states such as California and Texas, especially in areas like privacy and cybersecurity regulations.

AI Regulation: Navigating Uncertainty

The panel explored the burgeoning field of AI, where regulation remains fragmented and inconsistent. With around 40 bills in the pipeline addressing AI at the federal level, the discussion underscored the complexities of regulating a technology that evolves faster than legislative processes.

Businesses are left navigating a gray area, experimenting with self-regulation frameworks like responsible AI initiatives. Neal pointed out the historical context of the Wild West days of the internet, suggesting that a similar period might be necessary for AI to foster innovation before stringent regulations are imposed. Meanwhile, companies that plan to offer their AI capabilities in the EU will still have to comply with the newly passed EU AI Act. This is similar to compliance with international regulations like GDPR.

Sector-Specific Insights

The discussion also touched on sector-specific regulatory approaches. The payment card industry and the advertising sector were cited as examples of successful self-regulation. Ilona emphasized that while some industries can self-regulate effectively, others, particularly those critical to infrastructure, might require more stringent oversight. Examples like the Colonial Pipeline incident were pivotal moments that highlighted the need for comprehensive cybersecurity standards.

The Role of Agency Enforcement

A significant part of the discussion revolved around the role of agency enforcement actions in the absence of clear regulations. Ilona argued that proactive rulemaking by agencies, despite its challenges, provides a preemptive clarity for businesses, contrasting with reactive enforcement actions post-incident.

Troy added that industries with well-established self-regulation mechanisms, like the payment card industry, can serve as models. However, replicating this success across different sectors remains challenging due to varying levels of maturity and complexity.

Future Scenarios: Best and Worst Cases

The panelists shared their perspectives on potential future scenarios.

Best case: Congress acts to provide clear delegations of authority to agencies, enabling them to create precise, informed regulations.

Worst case: A cacophony of state-level regulations leading to a compliance nightmare for businesses and inconsistent enforcement from various courts.

Thank you for joining AZT, an independent series. For more detailed insights from our episodes, visit adoptingzerotrust.com and subscribe to our newsletter.

Show Transcript

This transcript was automatically created and is undoubtedly filled with typos. As usual, we blame the machines for any errors.

Elliot Volkman: Hello and welcome back to Adopting Zero Trust or AZT. Today, we have a wonderful panel to talk about a very timely, but a sort of what if. Situation and I say, what if, because it remains to be seen how the situations that are unfolding are going to impact cybersecurity regulations and everything else that wraps around that.

However we do have a fantastic group of folks who can help explore the different aspects of this. And I will reintroduce a couple of folks. I don't have to introduce you to Neal. I hope you know him by now and his voice.

Neal Dennis: You did your own little stint there for a while without me, but we got it.

Elliot Volkman: Hey, you went on vacation. That's

Neal Dennis: go on vacation and I left you alone and you did just fine. You did great.

Elliot Volkman: I had to basically bribe people with hats. That's the only form of payment that we have available since we make zero dollars. So just just put that out there. Anyways, let's let's go and start with Ilona. Your background is just insane. Maybe What's the best way to describe, you work over at HackerOne.

Everyone should probably be familiar with that brand, but you have a nice history beyond that. So what's the best way to position your background as it relates to this conversation?

Ilona Cohen: Sure. But before we get started, I'm a little disappointed that apparently you bribe people with hats and I don't have one yet. So we're gonna have to remedy that.

Elliot Volkman: To be fair, I only got them six months ago and I feel like we had you on a little bit before that.

Ilona Cohen: All right. Fair enough. So I'm the chief legal and policy officer of Hacker One. Hacker One. For some reason, you don't know what that is. We will hack you and try to fix your vulnerabilities before the bad guys do. That's the short version. My background is I've spent over a decade in the government, however, including in the White House counsel's office.

for the Obama administration. And then I was the general counsel of the office of management and budget, which relevant to this discussion is the agency that handles all rulemaking in the administration. So all the rules that come through.

Elliot Volkman: Perfect. All right. Troy, you're newcomer to this. What is your background? Who are you? And then I'll actually probably talk about the topic, which will add some more context for why we have this panel.

Troy Fine: So I am Troy Fine. I am the director of SOC and ISO Assurance Services at Gills Norton. So we are a audit firm that, CPA firm that performs SOC 2, anything in the compliance alphabet. We're doing those types of services and audit. I've been doing this for probably 12, 13 years, really started my career as an auditor and kind of just built my career on auditing and then in the cyber world, which is a little different, I think, from other cybersecurity practitioners.

But I also post a lot of memes. So if you follow me on LinkedIn I'm starting to think I might be a better an auditor, but that's still up for debate. But I started to realize that, that I might try to make a career out of that. We'll see.

Elliot Volkman: That is true. And that's, in fact, why I was trying to build a podcast around you. Certainly 40, 000 people can't just care about your memes. They gotta care about your opinions. Or maybe it only is in meme form, and

Troy Fine: Opinions that people can, opinions are hard. Memes are easy. So I try to stick to the memes.

Elliot Volkman: Alright, totally fair. So that brings us to the topic of today, which is again, very timely. It could change by time. We actually hit publish on this thing. So just fair warning. I'm not going to say the exact date because then I will get in trouble for something else that I currently do on the side.

We're not going on that topic though anyways, so we're gonna be talking about the recent Supreme Court, overturning of the Chevron deference which is I don't wanna try to explain this. We have an expert for this. That I'm handing this over to you. Maybe you can contextualize this and then the rest of us can ask a couple idiotic questions to bring it back to reality.

Ilona Cohen: Sure. Happy to try. So at the end of the Supreme Court's term, there were a couple of opinions, actually, that overturned a bedrock legal doctrine known as Chevron deference. And what the Supreme Court held was that courts could no longer overturned give deference to federal agencies interpretations of federal statutes.

So under the Chevron Doctrine before these cases which has been in place since 1984, courts would defer to federal agencies interpretations of the ambiguous statutes as long as those interpretations were reasonable. So that is no longer the case. Now it's up to each court to read the statute anew and make a determination about what, whether the agency's interpretation is the best interpretation.

And I know that this says You know, on the headline, AZT Chevron deference, but it wouldn't. I would also like to mention that there was another case that is just as important as Chevron and that you have to look at the two together to really get a full understanding of the impact of the court's actions.

And that is the corner post case. And so that is important because until that case, there had been an understanding that companies are. Plaintiff's had up to six years after a rule was finalized to be able to challenge that rule. And that was always understood to be six years after the rule was complete.

And now the Supreme Court has said no, it's six years after the injury. Has been discovered. So this puts basically every federal regulation on the potential chopping block

Elliot Volkman: Yeah, just a few potential impacts for our space. Yeah, not to mention, there's still a lot of things that we're currently working on. But maybe we can start with the big hot topic, which is AI. So there was a headline probably just this week or let's say middle of July is the safe way to label that of the other administration which may or may not make it in to.

basically pull out all the stops and make AI regulation a little more friendly towards us. And I think that's how the EU AI Act has positioned some of their stuff. But that is just one aspect of things that we're already hearing about. With, so right now there is no federal AI regulation, correct me if I'm wrong.

But there's 40 bills in the works. There's a pipeline where there could be some impact. I'm curious from your perspective, like From all the things that are in the works today, how do you feel that some of that could impact especially on the cybersecurity front where people are abusing it for increased social engineering and kind of ransomware bail building and malware and some of that stuff.

Do you have any visibility into how you feel like pulling out the stops could increase risk or something to that extent?

Ilona Cohen: Sure. So following the ruling, the conventional wisdom or the set of rulings. Following the set of rulings, the conventional wisdom is there's going to be a lot more challenges to all rulemaking going forward and a lot of regulatory uncertainty. And that's in part because there aren't that many clear rules or clear statutes.

on either cyber security, really, or AI. You're right that there are a lot of pending bills right now. So there's potential for future law, but Congress doesn't move very quickly. As I'm sure everyone on this call knows, they move very slowly. And even when they do move, they don't actually have the power.

Capacity to necessarily prescribe a certain set of standards that will keep pace with technology. So no matter what, anytime an agency has to interpret a law in order to make a relevant and a timely rule, they're going to have to rely on something that's ambiguous. And then that just means that's going to be more and more likely to challenge.

The outcome is not Necessarily good for business because although there are many business organizations that like applauded the set of rulings, the reality is The uncertainty when it comes to regulation could, in fact, be very bad for business. The companies rely on the fact that they have, they understand what the regulatory outcome is and they can plan for it.

And in this case, you're going to see something very different. You're going to see uncertainty when it comes to the existing set of rules, but you're also going to see uncertainty when it comes to future rules. So it's going to be very challenging and this is actually something AI in particular, something that came up in the oral arguments when the Supreme Court considered this.

Justice Kagan mentioned AI and she said she talked about the fact that might be something that courts really might not get right because they don't have the expertise necessary to be able to really make a decision about how it, The statute should be interpreted that you need to be able to rely on the agency experts who have the more of the scientific expertise or technical expertise necessary to be able to promulgate the rule.

Elliot Volkman: Okay, so that certainly makes sense. If I was to summarize that it, we're entering a state of significant increase uncertainty, which means. Both positive and negatives can come from that. There's more gray area for people to explore things, but without the guardrails that are being put up elsewhere it could create some other scenarios.

Neal, I'm gonna maybe throw that over to you a little bit. Feel free to jump on Soapbox, cause, I don't know, there might be something there, right? With the framing of, yes, we, we know that even on the federal side, probably not cybersecurity experts, let alone AI experts. Yeah. What are your thoughts?

Neal Dennis: Transcript

initial quick curiosity question before we go down the AI particular rabbit hole.

I gave on the

a the federal government's ability to push things down to the state level, or does this give more power to the state level to impact regulatory things like this in their own boundaries?

So there's a point behind that when we get there. I'm just curious, does this empower the states a little bit more potentially, or possibly push more requirements down on the states to have their own guidelines for stuff AI or other things of that nature?

Ilona Cohen: I think it's the way I see it, this uncertainty at the federal level may prompt states to act. In a faster or with greater breath than they might have otherwise. And that also creates a problem for industry, as because, all of us who are trying to deal with privacy law, for example, understand, you have to deal with California and that's different than Illinois and that's different than New York.

And. Each 1 of these states has a different set of standards, which makes it really difficult for industry to try to comply with, the different the differing views of the state lawmakers, and then it's sometimes better for the federal government to act. But here, when the federal government is going to be potentially in a state of turmoil, it might prompt faster action from the states.

Neal Dennis: So that makes sense to me. So the reason why I ask is because you started down it a little bit. When we think about AI regulation or privacy regulations or in the state of Texas at the moment, this is a big thing here where they're enforcing privacy regulations around the adult entertainment side of the house.

There's things that they're putting into play that are impacting that, which is living two minutes away from Austin. And They've literally picketed the crap out of that, which is hilarious, but different topic, different podcast. So I asked because At the

Ilona Cohen: Yeah, I'm not on that podcast, by the way. Don't invite me, please.

Neal Dennis: But the reason why I'm curious about it is because the state is also Texas as a state I think has a little bit more impactful cyber regulation.

Forward thinking or negative. Either way you wanna look at it, whichever aspects. They do a lot of really neat things from the cyber world. They've done a lot of weird things that are just annoying from regulation. So when we think about ai. Because now, as everybody knows, we have SpaceX and Twitter formally being relocated here.

And Elon's position on AI regulation, all the other stuff, what it is. So back on AI, I'm just more curious about if that seems like a technology that, That could be impacted at these regional levels while we wait for the federal government to do things. I feel like AI as a construct and security is too much of a global thing for a state to really try to wrap something around without it being hardcore challenged every day of the week.

But that's what my personal fear is. And so I'm just curious, federal regulation versus state regulation around things that seem a little more global impactful, especially the AI topic.

Ilona Cohen: I do think you will have other bodies, like international bodies, state bodies that are going to act in the face of uncertainty at the federal level. I don't think, by the way, I do think the federal government is going to try to legislate, but as they move so slowly and

And

they come up with in the federal front in legislation is going to need the interpretation of the experts at the agencies and that subsequent interpretation and application to real life standards, real life circumstances.

That's what's going to be really under the gun here when we're talking about the post Chevron. World. There are a couple of things not just an AI, but also in cyber like Circea, the, cyber incident reporting for critical infrastructure act, which is currently a proposed rule.

Now, there are other cyber incidents. Similar critical infrastructure rules that are coming up as well that are trying to impose cyber standards using laws that never even dreamed of the word cyber let alone, regulating it. That are all going to come under the gun and are going to be subject to a lot of scrutiny in the courts.

And not only are we going to have to rely on judges who may not know the first thing about these topics, you're also going to have different judges in different jurisdictions, reaching different opinions, which is going to lead to I'm not going to say a state of chaos, but certainly uncertainty that's going to make it very difficult for companies to know where to invest and how to, make sure that they're actually going to comply with what ultimately becomes the standard.

Neal Dennis: I can definitely see a lot of escalations going unanswered up towards the top of the food chain just because of the scale of how many will probably happen. You talked about,

Elliot Volkman: Troy. You deal with these all the time. I'm curious from like the under the perspective, how do you untangle that when you have folks that are coming to y'all for whatever perspective. They have over Is there a standard talk track? Like how do you untangle the 30 different overlapping

Troy Fine: You don't. That's the short answer. I think. I don't think you can, especially when it comes to privacy, right? As we were talking about before with all the state laws and if you're a global company, you have to deal with country specific privacy laws. So it's not just in the U S it can be all over the world, right?

There is no, you can't, right? If you look at meta, look at Google they have, that they have privacy teams, but like they have budgets for dealing with privacy Violations. They're budgeting for that because they know it's impossible to do it with and you're gonna spend more money trying to comply than you are in probably, paying the bills to the governments, right?

I don't think you really can, I think you can only do your best effort and hope you're not doing anything negligent that would cause somebody to take a closer look. And that's what they try to do so

Ilona Cohen: provided by Transcription

courts would do with something like quantum computing, right? There's rulemaking that's expected and Do we really think that Congress is going to get that if they do it in such a prescriptive way that will be, without ambiguity, therefore, without legal challenge.

And even if they do we think that the courts are going to be able to interpret whether or not the agencies get that? I'm not suggesting that the agencies should do that. Be without any checks on their authority in some of these areas, because, we want rules that are fair and not burdensome and not, overly cumbersome for industry and that are tailored really narrowly.

But on some of these more complex challenges, like in the technology realm, AI,

these and the researchers Like I mentioned, quantum computing, do we really think that The courts can get it right. And this is again where Justice Kagan's dissent, writing for the minority said this opinion took a rule that was based on judicial humility and turned it into one that was based on judicial hubris.

Suggesting that the court really thinks it can do no wrong. It can, it will be the best position to decide all of these

And I really do question that. They can't, it's impossible because of the rate of change, right? You can't write a law that can in technology or cyber or quantum, whatever, whatever you want to call it. It changes too fast to have a law that covers it all 5 years from now. It's gonna be completely different.

Six months from now, it's going to be completely different.

Neal Dennis: And I think maybe that's for me personally, I think maybe that's the Pro to this is indirectly just by sheer volume, deregulating things that, and this is the libertarian side of the conversation saying that, federal overreach on things that weren't clearly defined constitutionally, blah, blah, blah, blah, blah.

Everybody pick your political party, figure out what you want to talk about there. But I see potential, especially in the tech world where, nineties, early two thousands wild West. In the grand scheme of things, you had hackers, crackers, white hats, black hats, pick a flavor of the day, doing all sorts of things and not really having a lot of legal structure to put them into prison or to do things when they were blatantly being malicious until the court hearings back in 2007 or 8, whatever it was, when the gentleman in Austin went to jail for the first ever spam abuse case.

I don't, Big thing, fun stuff lived down the road from him when it was happening. It was fun to watch them roll them up. I didn't know what was going on, but that set precedents for what it meant to be a spammer and take up internet bandwidth. So they wrote legal structure of some sort around him to arrest him.

Post his arrest to capture other people like him. I like the wild West and the tech, a lot of fun things get done personally. Yes, I still need to know who to arrest and throw in jail, but when it comes to developing tech, I think personally, less regulation equals better innovation down the road, you throw some guidelines on it relative to what it means to do so maliciously.

But I think they still need to be a little more open ended, especially when the tech is just getting there. I like the approach of the movie theaters and the music industry of self regulation. And so as you do it correctly, then the government should have no need to come in and. Slap you around and tell you what to do.

That's my personal

Ilona Cohen: So you're, there's one, first of all, I don't think of this as a political issue. I know that you just mentioned politics, but I think of this as just a, like an understanding of how you view the world. But there's one assumption that you made in your statement that I think is false. And that is that less regulation means less burden on business.

And I actually think That in the absence of rulemaking and the challenges associated with rulemaking, you will not see agency in action. You might see more agency enforcement action. So different form of action. It will depend on the agency that you're talking about and their authorities and how they use those authorities.

And I'm not suggesting even that those would be without any. Challenges. But the difference is you've got in rulemaking. You've got an agency telling you in advance. Actually, not you telling everyone in advance how they perceive this. Statute and its interpretation of the statute before you act, whereas agency enforcement action, you only see that to a single party or a set of parties after you've already acted.

And that's why I prefer that. You, as an industry representative, I would rather know in advance how the agency perceives something, how they view the interpretation of a particular statute before action rather than after action. I don't necessarily agree that, less regulation means less burden.

Neal Dennis: I definitely agree with that. I don't agree with that side. So I apologize if that's how it came up. I think burden of labor and burden of proof, all that fun stuff falls on the private side. Whoever's managing, developing, running XYZ technology. Until the agency does step in and say, we think something's wrong.

And I think once again, back to the old internet, that's loosely what happened initially. We had people early nineties, eighties, early nineties, doing all sorts of stuff, positive and negative, no regulation blatantly there. So we had to rely on, in the early two thousands on someone like Time Warner to say you're going against our personal business bylaws for usage and access.

And that's what they wrote him up on was one of the big things was he was using someone else's Wi Fi along with his own, and they just put him in court initially for some kind of bandwidth stuff and illegal usage of Wi Fi per private guidelines, whatever it was. And then they wrote other laws about the consumption and tier one ISP utilization rates and all this other stuff for him.

And I personally like that. But I think it's on the person's doing the work to understand. Where they could potentially go wrong and the industry that's doing the work to initially self regulate until they reach a boiling point where the agencies come in and say, Hey, WTF you're doing some things that we don't necessarily agree with anymore.

And then let's duke it out in the courts. And maybe that's how the law comes into existence. I don't know, but I like self regulation at the industry layer as a starting point.

Ilona Cohen: What about critical infrastructure?

and

of critical infrastructures, lack of cyber security, adherence, cyber security, regulation or self regulation, right? There are times when failure to adhere to basic cyber hygiene leads to entire. Sections of our economy, shutting down colonial pipeline is, of course, what I'm thinking about.

And that impacts not just the industry, not just the company, but an entire region and an entire economy. And so that's the, that is the basis for the cyber security, national action plan. And this administration saying, we need to level the playing field. And if you're not going to get there yourself, we're going to read these statutes.

would you go

in order to make sure that you do

Oh

protect not just yourselves, but all of us. So I'm curious, I know you're the podcast host, not me, but I'm going to turn it back on you and say, I'm curious do you think that those companies that have completely ignored cyber to the detriment of an entire economy should just be able to continue to proceed as normal?

Eastern seaboard be damned. I'm just going to do what I'm going to do.

Neal Dennis: no I think, so that's a very valid question. So I think in that case, we had, we already had two, both federal and private regulation bodies that were at play and they ignored both. So I think under a private industry perspective the hilarity was that Colonial Pipeline

me in

had some issues in the private sector of things with their cohorts and their partner services and things like that.

We'll leave it at that verbally, but they obviously had issues there. So they were paying the penalties before they even went before the federal courts. Once all this happened with their private sector partners. And I think that's very important as an initial base. They did something wrong.

The private sector of that, those other businesses that they were with and doing things with regulated them. As much as they could at the time when that was happening and more or less impacted the prolonged business. Once things were back up and running financially, and then the federal courts came in and saw obviously what had happened.

Salt was going on, and I think that was a good teal or a moment to make a new regulation law for how that happened. And yeah, I think you're going to have key turning points like that. That lead us down the road where government oversight should be applied or a review of what current oversight is there and where you missed the bill from the private regulations that your industry vertical may or may not have had.

And yeah, I think it's a very fair question. And I think that is one of those milestone moments where someone needs to get smacked in the face and then government oversight can review what's already been going on. But absence of

Ilona Cohen: is that courts are no longer really able to defer to a federal agency who makes a calculation based on common sense, right? The agency is generally supposed to come up with a reasonable interpretation. And It might be reasonable from my perspective, from your perspective, to finally get to some kind of a regulation that would prevent another colonial pipeline from happening but that's not the calculus anymore.

That's no longer the

Troy Fine: clarify, are you saying? Because this was, there's this. That like the TSA is the ones that oversee the pipelines. They interpreted a law based on this doctrine to come up with rules. Are you saying that they wouldn't be able to do that anymore because of that?

Yeah.

Ilona Cohen: look, I have not specifically looked at that rule to assess whether or not they would have the authority to be able to move forward, whether they relied on a reasonable interpretation, or whether they relied on the best reading of the statute. But I'm just saying generally Neal is having an argument with me.

Or discussion, I should say about whether rules are good or not whether regulation is when is the right time for regulation. That's like the discussion that we were just having. And I'm saying, you can't really apply common sense anymore to when is the right time to have a regulation because even though you and I might agree that it's time because there's.

Such a significant impact. It's really all about the statutory construction and whether or not the statutory construction is the best. And in light of the fact that most of these, most of this administration's effort to level the playing field when it comes to statutory when it comes to critical infrastructure and cybersecurity standards for critical infrastructure.

Those are based on old laws. That very likely talk about safety more generically than cyber security safety. And so you could easily see a court ultimately invalidating those. It's just something to think about, is that's, I think that's our new reality, and that is

Troy Fine: concerning to on the safety things. I know the FTC brings a lot of they, they find a lot of companies based on old rules that just talk about safety and they're interpreting safety as being cybersecurity related, which the law might've been written 50 over a hundred years. Could have been written 50 years ago.

And talked about safety, but the FTC is using this to say, you didn't have the right cybersecurity protections in place. We're now finding you blah, blah, blah, blah, blah. Or they're using it for privacy. So I think you're right. I do think it's going to impact cyber from that perspective, because how could you say that safety, when they wrote that law, they weren't, they didn't even know cybersecurity was a word, right?

And now you're interpreting it to include cyber. I could see them saying that's not allowed anymore, for sure.

Ilona Cohen: Sure. Now, that's not always a bad thing, right? Yesterday, the court threw out most of the solar winds. they did it in part because the, they said as a matter of statutory construction, the way the SEC was interpreting its authority was wrong. So they used a law about internal accounting and disclosure controls.

To apply to controls relating to cyber security and the court said no, that's not what the statute says. You don't have that authority. I'm not sure if that had been decided before the Supreme Court's decisions. I'm not sure it would have had the same outcome. So like I said, it's not always a bad thing.

would

You like, I don't have, I don't know. I don't, I didn't look at the facts of that case well enough to know, if that was a good thing or a bad thing, but the bottom line is there will be times when agencies completely get it wrong. And so there is a role for the courts there, but I do worry that most of the time, they're not going to get the technical stuff right.

And they're not going to get the sort of scope and breadth of the rule and its application. They're not going to be able to apply common sense. I,

No.

Neal Dennis: And actually write a new regulation, new law, new rule based off of current issues, concerns, and see how that goes at some level. I think for me, that's the big thing. Instead of using 50 year old policies to interpret things to fine or debilitate or grow either way, it goes both ways. Industry verticals making sure we have blatant, As best practice that we can regulation and understanding it's going to change in five years, the technology behind it, but the fundamental compliance pieces or the fundamental security nature of it, the tech targeting it changes, but the construct around cybersecurity and the things that you're expected to secure, like zero trust environment and methodology and things like that are a little less fluid, right.

From a higher level, strategic terminology perspective. And so I think back on those, I think that's for me, the big thing. You, when we leave it open to the agency to interpret, we have someone who's more likely to get fined or brought up on charges and spend time in court for something that, doesn't make as much sense.

And I'm not a lawyer. So this is all just me hoping to never go to court for stuff that I think I did. Statute of limitations is up on most of the stuff I did. That was bad. So we're good. But that being said.

Ilona Cohen: I can refer you to someone if you need it.

Neal Dennis: I might, I have confessed to way too much crap on this podcast over the last three, two years, but nobody's knocked on my door again. So we're good. But that being said I think there's a time for regulation. I think back on the critical infrastructure, key resources side of the house. If you're a large enough persona in something that's already been defined as CIKR stuff. You already should be expecting to have some kind of regulatory requirements, both from your direct industry vertical, as well as the government. And I think that's a fair assessment to say within those echelons. Congratulations. You've got federal oversight for the rest of the things that haven't been defined back on AI and quantum computing and things like that for the time being. I don't I don't see a world where at the start of the technology, federal oversight. Is necessarily a great thing until we have some kind of milestone landslide moment that does push something bad. To say, wow, you definitely stepped outside your bounds. Congratulations. This was rated, whatever you need to

You

I'm just curious back on questioning.

So questioning side of the house we'll go back and forth with our personal views all day long. Not a bad thing. We should just have a podcast where we literally just get the most divisive topic and get three, four people in a row. I don't care what it is.

Ilona Cohen: We'll just take Neal's view and say this is the new standard that the courts have to apply. Whatever he thinks is right and is appropriate for federal regulation shall be regulated. And whatever is not appropriate according to Neal shall Is that's I think what we

should do.

Neal Dennis: the whole world will go to pot. I will say the one thing recently that happened here in Texas federal judge struck down the private distillation licensing requirements by the federal government. So if you're, I make wine part time, so this is exciting. But it might actually be, and this is why I'm talking about it, because I think it's indirectly related to this because they just made the announcement like this week that the federal government, ATF is only allowed to apply regulation for licensing for stills to actual production, commercial facilities, and that the home production of any alcohol should be non regulated to the confines of the quantity that they allow to include distilled spirits or something like that.

Anyway, that's exciting for me. But on that note, from a compliance perspective, again, moving forward I was very curious back on GDPR y type things, and we touched this at the beginning, when we think about state empowerment to do these things, do y'all see maybe where. Where with California's privacy laws and the ones that are happening in Texas and a few other places, do y'all see those as possibly moments in time that could push federal regulation a little farther, whether that's, zero trust compliance whatever it may be, but do y'all see that, more of a grassroots movement at a state level being able to help guide federal rulings and structure in law versus waiting for the federal government to do things again?

Ilona Cohen: I think the biggest impact, I don't know, Troy, you can answer because you have to comply with these laws. But just one quick answer for me is that the biggest issues for some of these companies is not in the United States. It's in the EU because they're moving so much faster than everybody else. So for a multinational company, they are obsessed slash focused on what they have to do to comply with.

The laws that are so far ahead of us. And that, if anything, I think would push the U S more than some of these States, given the breadth of the

Troy Fine: I would agree. I don't think the states are really going to push the federal government to do anything. If you look at the EU, There was a time recently where there was a lot of people didn't want to send data over to the U S because we weren't like, whatever. I can't remember the terminology.

We weren't officially approved by the EU to like GDPR to send data across the Atlantic to us. And so we came up with the new data, the DPA, the new agreement, and then they were allowed to all of a sudden, it was a quick fix, but that is what's going to drive the U S to come up with a federal privacy law.

Businesses can't get. Can't be global and can do things because certain countries don't want to send data to the U S or it's too problematic for them to work with the EU. That's, what's going to drive the U S to change. Unless they can come up with a quick fix like they did and solve the problem. We were close.

We were getting there and then they did this quick fix and now it became a domestic bipartisan issue of why we don't have a federal privacy law. And that's probably not going to happen anytime soon.

Ilona Cohen: My goodness. There's so many reasons we don't have a federal privacy law. That's a whole other podcast that we could do for hours. Yeah, the EU really is moving quickly, especially when it comes to AI, like the EU AI act for sure is, the focus of so many different companies and will, not sure you will ever see those large companies deal with self regulation because what they'll be doing is dealing with another country's or, bodies legislation or law, and that will force them to make changes in the U. S. regardless of whether the U. S. acts.

Neal Dennis: So thinking about that a little bit more. If we get to a point. Yeah. Where we have some kind of formalized federal policy on this. Do y'all think it's going to be a very cut and dry or do you see things like California versus other states or whatever challenging this for years to come kind of thing courtesy of the new.

Rulings for Chevron,

up and

Ilona Cohen: There is no federal privacy law, and I don't think there ever will be a federal privacy law in my lifetime. Maybe that's a little bit too much of an overstatement, especially given that there was an attempt this time around with Congress introducing the bipartisan privacy framework, but, we all saw what happened to that.

It died a slow death or actually died a pretty quick death, to be honest.

Troy Fine: Yeah, there's not going to be

Neal Dennis: Troy, would you be fine if there was one?

Troy Fine: probably not like a GDPR. There are privacy laws, right? That protect children and other stuff like that. That exists, but I'm not an expert enough to know how this would impact. Those types of laws, but I agree federal, a comprehensive 1, like GDPR, probably not.

We need to start off small, like we need basic protections at the federal level instead of trying to go all in on. Everything GDPR does, maybe like basic rights to be forgotten and things like that, we could start off small at the federal level, but we don't normally, we try to run in the U S government before, we don't do the crawl walk, run, we just run sometimes.

And that's, what's happening with privacy. They need to slow it down a little bit and get like the most foundational things Hey, we all agree. You should have a right to be forgotten. If you tell somebody, okay, let's get that in a law, but yeah, it'll probably be. Never before that happens. So there you go.

Ilona Cohen: Okay. you

curbing and the agency's ability to act is going to have. Consequences because Congress does not act with expediency. As we know, and they don't act with. Expertise necessary to make informed judgments always, so that's suboptimal, and it's going to lead to a suboptimal outcome.

Neal Dennis: So one last question from me back on that.

Okay.

best case scenario from y'all's perspectives. And y'all, we hit on this a little bit throughout, but I'm just curious, quick summarization, worst case, best case for you, Troy, worst case,

Troy Fine: I don't know if I can answer worst case, but best case for me would be that it actually accelerates the government to come out with cyber security regulations that are specific to cyber, right? If, with the, going back to the pipeline, instead of them having to interpret a old law to come up with new requirements for pipelines to protect.

Data, they should come out with a cyber security regulation where they don't have to interpret or There'll always be interpretation. Let's but interpret less right not have to use the word safety To mean cyber security, right? So best cases that accelerates some of these things that are not in place That would be best case for me Accelerate i'm saying at the government's pace, whatever that means right like instead of five years it happens in two years I don't know but to me that would be best case please

You

Neal Dennis: worst case, you get 50 States doing 50 different things.

Ilona Cohen: Best case is that Congress can fix this. So not a done deal in that Congress can delegate discretionary authority to an agency. So they could tell

Back.

And in the interpretation of the statute, we want this agency to have the final authority, and that's that.

And then this is not an issue and the agency can rely on its expertise and continue to go on as always. I don't know if that's the best case. Like the best case is always, tailored regulations, not burdensome, not cumbersome, like actually helpful to the economy, helpful to the security and the well being of all Americans.

That's the best case generally always, but in terms of this precise issue, this is, this can be solved by Congress. I don't see that happening anytime soon, by the way, but it can happen. The worst case is, as we've discussed at length. During this session, a lot of uncertainty, differing opinions, different rulings, companies not knowing what to do, sinking a ton of money into the like trying to understand how Texas rules on something versus how New York rules on something, and and then courts not being able to have the ability to issue an opinion that actually is a common sense one. So it's hard to know what. Rules will come before these courts now without looking into all the different statutes, but you can imagine a circumstance where common sense is just not allowed to prevail in light of the restrictions now on the courts.

Neal Dennis: And I will agree on that last point. That is a concern. Whenever the rule finally has to be addressed, changed, adjudicated, wherever it goes in the court I'm right there with you on the worrisome of of that court and their ability to understand whatever that stuff is. That is a big concern.

So I'm, I appreciate it. I'm going to throw it back over to Elliot cause I definitely went down some oddities there. So I appreciate it. But I'll leave it with this. If either of y'all want to help me interpret the Distiller's ruling here in Texas, I'd appreciate that because I own one, but I would love to own one and be able to blatantly break it.

Say I own one without the federal government doing what they did here and calling up the club that was distilling stuff. So I would love help with that later, but anyway, moving over back to Elliot.

Elliot Volkman: Just just don't blow yourself up or anything. Otherwise, I have to cancel the show and I don't know how to handle that one.

Neal Dennis: I still have all my fingers mostly from the 4th of July. So we're good. We're good.

Ilona Cohen: Know, I would help, but, my legal advice is generally worth a little bit more than a hat and I didn't even get that. So I'm going to pass on the additional invitation to provide free legal

advice. Elliot, look what you're doing to me, man.

Elliot Volkman: We just have to make these a rare batch start auctioning them off and then it'll equate to

Neal Dennis: I want to also go on record

Elliot Volkman: both of us have to blow up at your your production facility.

Neal Dennis: I want to also iterate, Elliot's the producer. I'm just cast. I'm not even

Elliot Volkman: I literally just press the mute button on myself while I laugh. That's my job. But I do have one question. I feel like Neal, this is into your waters for like self regulation, but it's a dance between BS and not BS. And that's where we get to these concepts of privacy by design, secure by design, shift left and some of these other things of like self regulation.

There are not hard guardrails that you have to follow. It's these concepts that are like doing the right thing because it's a different shooter and all that. Panel, what are our thoughts on that? Do we feel like that will, let's say we devolve into a chaos with these situations and things just unravel.

Do we feel like there's going to be organizations that stand to the occasion and start aligning more with these things to do the right thing? What are our perspectives on that?

Troy Fine: but I have a view, but I would love to ask Troy to answer first because I feel like.

There is, it already is the wild west. Look at,

Elliot Volkman: Fair,

Troy Fine: look at United Health Group, right? That was, that caused mass

Elliot Volkman: There's a

Troy Fine: problems. That happens probably,

how Once every four months, there's a major thing going on. It's causing problems, not all cyber related, but CDK, same thing.

Dealerships were reporting that they were actually their financial their financial impacted for the quarter ending June 30th. They were actually reporting that because of the outages they couldn't make their sales. So we already are in chaos and we're just trying to figure out how to live in the chaos right now.

So I think it's only going to get more chaotic based on what we just discussed, to be honest, but.

Ilona Cohen: Yeah, I agree with that. There are some industries that are better equipped to self regulate than others, so take the payment card industry. They have a robust industry association that has imposed Real regulation, real standards that everyone complies with because they want to be able to offer, payment services, but

a

that takes a long time to get to that point and the process is really messy.

And so AI you have in the absence of a national standard. Or even a state standard. You've got companies trying to impose what they're calling responsible a I. So they're trying to come up with their own version of what that means, and it's all over the map. And so you've got companies now through contractual requirements, imposing things like, definitions of responsible a I and other companies having to comply with Multiple different versions of what that means and that is messy and it's timely and it's expensive and it's hard to track and so that's why sometimes a national or even state standard can be useful because it reduces the cost to comply.

So

And

Neal Dennis: Inception as well as at its growth points to where it's at, it's getting back to critical industry, key resource related stuff. On your anecdote, there's another comparable piece for advertising on the internet.

There's a large company or large group called tag trust and accountability group. They are there specifically to regulate what it means to be a content media content provider in the advertising world on the internet. And they started off as a very fledgling foundation, like any good thing, sitting up in DC on the Hill, trying to get their pundits together.

And now they own the regulation as a private industry group for how to appropriately put. Things through content delivery providers and stuff like that on the internet. And it's started off as a US based thing, but it's a global impact regulatory body, private regulatory body now. So then it did like with everything else, it did take them time.

They were born semi out of the inception of some of the stuff in the mid 2000s where a lot of threat actors were leveraging CDNs to push a lot of not so good things. So they had their little kind of. Come hit their moment there, their milestone moment to push them over the edge and here they are self regulatory body.

And I think that's probably what helped keep the government out of those worlds and keep the Googles and Microsoft's safe, but in a private trust group mentality. But to your point, that's not always going to happen. I agree. That is not always going to happen. And in absence of that happening, especially in a timely fashion, when you have a breakdown, unfortunately, you're going to get slapped legally somewhere and someone's going to have to create a rule to make sure it doesn't happen elsewhere.

So bust your butts off to make some kind of private regulatory landmark for your group. And if it sticks and self regulate. If it doesn't, congratulations, you're in the Supreme court. So at least that's, yeah,

Elliot Volkman: that takes us to the end of the episode. So Ilona, Troy, thank you so much for joining Neal. So glad you're back. So I don't have to talk to the wall. We will see y'all next time. And yeah we're hopefully off a little hiatus for a summer, but otherwise expect back to our every other week publishing schedule.

Neal Dennis: you putting this out before Black Hat?

Elliot Volkman: I don't know. Hopefully.

Neal Dennis: See ya at Black Hat, if he gets this out in time.

Elliot Volkman: Oh yeah. We're going to be at black hat. I think find us somewhere. We'll figure it out.

Announcer: Thank you for joining a Z T an independent series. Your hosts have been Elliot Volkman and Neil Dennis to learn more about zero. Go to adopting zero trust.com. Subscribe to our newsletter or join our slack community viewpoint express during the show did not reflect the brands, employers, or companies of our hosts, guests or potential sponsors.

Catch this episode on YouTube, Apple, Spotify, or Amazon. You can read the show notes here.

Every organization relies on some form of technology to run, and each tool you add increases the risk of vulnerabilities causing problems. If you don’t stay on top of patching, you increase the odds of a bad actor finding their way more easily within your network.

This week, we chat with Tyler Reguly, a senior manager of security research at Fortra, who shares insights from his 18 years in vulnerability management. Tyler discusses the importance of staying on top of patching to maintain a Zero Trust strategy, the differences between vulnerability and patch management, and emphasizes that the Common Vulnerability Scoring System (CVSS) measures severity, not risk.

We also briefly nerd out about the significance of groups like the Canadian Cyber Threat Exchange (CCTX) for knowledge sharing and collaboration in cybersecurity. And then, we wrap things up by exploring the efficacy of existing security policies and benchmarks, such as CIS and DISA STIGs, and the role of vendor relationships in maintaining effective security practices.

Key Takeaways

• The Common Vulnerability Scoring System (CVSS) measures severity, not risk; a broader risk assessment methodology is necessary.

• Prioritizing public-facing systems and user base risks is essential due to common exploitation methods like phishing.

• Effective patch management requires vigilant testing to avoid false positives and unnoticed vulnerabilities.

• Collective defense groups like the Canadian Cyber Threat Exchange (CCTX) enhance security through knowledge sharing and collaboration.

• Security Configuration Management (SCM) and standards like CIS benchmarks are beneficial for enhancing security beyond just patching.

• Building a robust Zero Trust program involves leveraging community insights, prioritizing critical patches, and continuously validating security measures.

Editor’s Note

Heading to Black Hat? Neal and I will be there! Please reach out if you are interested in chatting. We’ll likely record some mini-episodes. We’re also booking our standard episodes out through the rest of the year, so if you have fresh research, hot takes, or implementation stories, we’d love to get them in front of our audience.

Transparency note: Elliot now works at MSFT and will not discuss anything that takes place there or about the company. You can check out the fancy threat intel podcast for that.

The Importance of Patching in Zero Trust

To set the stage, we kick things off by addressing a fundamental question: how critical is it to stay on top of patching in a Zero Trust strategy? Tyler offered his perspective, underscoring the surprising notion in some circles that Zero Trust could reduce the urgency of patching. He emphasized that, in his experience, patching remains a crucial element as you have to operate under the assumption that a breach is inevitable. He elaborated on the necessity of knowing what's out there, prioritizing risk, and knowing how to deal with vulnerabilities.

Community Involvement: CCTX and Vulnerability Information Sharing

Tyler shared one of his enriching experiences with the Canadian Cyber Threat Exchange (CCTX). He highlighted the enthusiasm and commitment within the community towards making vulnerability management programs work. Tyler emphasized the advantage of seeing cybersecurity as a team sport through such communities where knowledge sharing and active participation significantly enhance the collective security posture.

Zero Trust Policy and Vulnerability Prioritization

Neal then led us into a brief rabbit hole, diving deeper into the nuances between traditional vulnerability management and Zero Trust policies. Tyler explained the varying degrees of advancement within Zero Trust implementations, noting that the maturity level significantly affects the overall benefit. A key takeaway was the emphasis on prioritizing public-facing systems and user base risks due to the common tendency for humans to fall for phishing attempts or other exploitation methods.

Security Configuration Management and Standards

The conversation then shifted to security configuration management (SCM) and standards like CIS (Center for Internet Security) benchmarks. Tyler highlighted the importance of SCM, noting that patching, while essential, is just one layer of the security stack. Implementing robust configuration policies can make systems more secure even with vulnerabilities, further complementing Zero Trust principles.

The Role of CVSS in Risk Prioritization

Tyler touched upon a core aspect: the Common Vulnerability Scoring System (CVSS) and its role in measuring vulnerability severity, not risk. He clarified common misconceptions about CVSS, advocating for its use as a severity indicator while emphasizing the necessity of a broader risk assessment methodology to truly gauge the impact on an organization's specific environment.

Vendor Trust and Vulnerability Management

Understanding the credibility and context of information from vendors is paramount. Tyler shared anecdotes illustrating both the pitfalls and benefits of relying on vendor-provided data. He stressed the importance of validating vendor claims, understanding the nuances of potential media hype, and trusting reputable vendors who provide clear, detailed, and immediate action plans for critical vulnerabilities.

False Positives and Patch Management

Toward the end, Tyler discussed the ongoing challenge of false positives in vulnerability detection tools and the critical need for effective patch management. He illustrated real-world scenarios where lapses in proper patching resulted in unnoticed vulnerabilities, reinforcing the message that patch management requires vigilant testing and verification beyond just automated updates.

Our conversation wrapped up with a light-hearted but insightful dialogue on the intersections of vendor management, supply chain risk, and the personal nuances each brings to contributing to community-driven security initiatives. Tyler's contributions and insights undoubtedly highlighted the importance of proactive vulnerability management in shaping strong Zero Trust environments.

In essence, this episode underlined that building a robust Zero Trust framework isn't just about implementing technology but also leveraging community insights, prioritizing critical patches, and continuously validating security measures. Stay tuned for more deep dives with experts like Tyler who bring invaluable perspectives to the evolving world of Zero Trust.

Thank you for joining AZT, an independent series. For more detailed insights from our episodes, visit adoptingzerotrust.com and subscribe to our newsletter.

Show Transcript

This transcript was automatically created and is undoubtedly filled with typos. As usual, we blame the machines for any errors.

Elliot Volkman: Hello everyone. And welcome back to adoption Zero Trust or AZT. My name is Elliot Volkman, your producer alongside Neal Dennis, our host, and Tyler is going to be here talking about a subject that we have somehow neglected to cover in this equation, which is.

As basic as it gets when it comes to a Zero Trust strategy to enjoy that. I don't mess up your background and important brand names and whatnot.

Tyler, maybe you can give us a little bit of a background on yourself and how you got into your shoes today.

Tyler Reguly: sure. So I'm a senior manager of security research at Fortra. I've been in the vulnerability management space now for 18 years. And through a series of acquisitions, I still work with the same product I started working with 18 years ago, which is An odd thing, I think, to encounter in that industry.

People usually move from time to time. But we were in circle, we were TripWire, TripWire was acquired, TripWire was acquired again. Now we're Fortra my role has since expanded that I have I now look at vulnerability management across multiple products. I look at MDR and XDR a bit now, research.

My love has always been vulnerabilities, vulnerability research. I, I started out, as a teenager in the mid 90s playing with this stuff and sitting there on the slackware box compiling old C exploits just to see what they would do. And I've just been in love with it ever since.

And it hasn't changed since then. So thanks for having me. I'm excited to talk about this.

Elliot Volkman: yeah, absolutely. Likewise. And I can already see Neal grinning. You've definitely said some right terms there to perk his ears up.

But you also said the key word, which is what we're going to be talking about today as it relates to modern cybersecurity strategies. And of course, your trust, which is trust.

Vulnerability is patching the very most basic thing that somehow, again, we have neglected to talk about. So I love just to tee this off with a nice little softball. Maybe you can give us a little bit of perspective of in this whole world of Zero Trust through the lens of, we have to go under the notion that you're probably breached or you have to run under the notion that you are already breached.

How important and how critical is it to stay on top of patching?

Tyler Reguly: It's interesting because I, again, I, vulnerability management, I don't talk a lot about Zero Trust. So I did a whole lot of reading to make sure I didn't sound like a fool. And I still probably will. But that's okay. And I was actually surprised to see a number of, of articles out there that said Zero Trust means that you Don't have to focus on patching with as much priority as you otherwise might have to.

That surprised me. Now again, I, I live and breathe the vulnerability management space. So it's something that is near and dear to my heart and I consider it critical. But in my mind, Yes. Are you breached? When will you be breached? It's not a matter of, if you'll be breached, it's a matter of when.

And one of the easiest ways to stay on top of that is to stay on top of your patching. Know what's out there, know how to prioritize your risk and, and know how to deal with everything that's coming at you.

I think the biggest thing and one of the coolest experiences I've had this year, if I can go on a bit of a tangent Is I'm involved with the Canadian Cyber Threat Exchange, CCTX, and one of the things that I've been doing there is actually running a vulnerability community of interest for Canadian companies every, two weeks or so we meet and talk and one of the things that I've found is that.

A lot of people really want to make their vulnerability management programs work. A lot of people are keen to see it work. They just don't know how to get to that point. And I think that I've rambled a lot. But I, I think that knowing how to properly, properly prioritize things is really key to Not just applying those patches and understanding them, but securing your overall environment because you have limited resources and patching isn't the only thing you have to do.

So knowing where to put your resources and how to use them and how to properly prioritize the overall security of your enterprise is probably the most important thing for people.

Elliot Volkman: That is a fantastic question, and usually I would ask a follow up, but you also hit another term, which is basically the collective defense. So for the U. S., we have ISACs and, for anyone that's listened probably knows that Neal has a strong love affair or interest with Isaac, so I'm gonna actually just hand that off right over to you, Neal.

Maybe you can go there because I don't want to hold you back and I feel like I can just see you're ready to go. Transcripts

Neal Dennis: Nah, I just find it's always fun when day to day life syncs up with podcast life in one way or another. And Tyler, you're not rambling. I'm going to teach you how rambling works here in a few seconds. That being said, CCTX is someone I work with as well. From a product perspective. So I, my day life, my day job, they use one of our products to impact that membership from a portal and, and collaboration perspective.

So we'll, we'll, we'll talk about that maybe offline as far as what that is a little bit more. So that's pretty cool.

Now, one thing I want to maybe highlight real fast before I ask a couple of questions, I want to make sure people understand That Zero Trust Policy and Procedure isn't obviously saying don't patch or de escalate or de prioritize or don't make it an important thing.

It's, it's more of a, let's look at. What types of vulnerabilities are typically taken advantage of, especially things like remote execution stuff related type things and what happens once that that is exploited? How does how does the pivot occur? And why does the pivot occur? I can get into a server with some exploit, right?

With some R. R. C. E. But. Once I'm there, if you have the right Zero Trust policies, then you should really still just be there, in theory, minus additional exploitation paths that aren't patched or available. I, I think for the listeners, just understanding that criticality and understanding your, your prioritization still needs to happen at a very base level, but there is some leniency towards what happens once the exploit is It's taking advantage of, for what that threat actor has as a next step, if you've taken due process around a Zero Trust implementation and any time on a server is still bad time on a server.

If it's from a threat actor, no matter what you've done to block down the rest of it. So then. That in mind thinking about, the, the, the chain of impact and stuff of that. We, we see old talks around security and, and security in layers, defense and death make it like an onion, prioritize your things based off of, either the lowest common denominator or the biggest impact, whatever, blah, blah, blah, words, words, words.

So from your perspective, thinking about what you've already going. What would be some of the key advice to help maybe refocus prioritization or what would you think would be impactful to still take into account to prioritize these data points? Should we focus on exclusively say, Hey, Zero Trust behind the firewall is great behind the gateway and DMZ is great.

Let's just go ahead and manage all the legitimate blatantly Internet spacing stuff because Zero Trust will take care of it all. Or should we still fully understand that? An exploits an exploit and it can still get around the Zero Trust framework.

Tyler Reguly: Yeah, I think so. I'm gonna step back and say one of the things I've seen is that there are degrees of in everything, there are degrees in vulnerability management, there are degrees in Zero Trust. And I think that it depends on how far along you are in your implementation path. in both of these things.

If you're all the way there and you have a full Zero Trust network in place, yeah, it's going to help you a lot. But if you're in your infancy and just starting to implement Zero Trust in your environment, it's not going to necessarily help you as much as somebody who's made it to the end and cross the finish line.

If you can ever really cross the finish line in anything with tech, but when it comes to, what do you prioritize and where do you look? I think there's two primary things that tend to cross my mind. One is that publicly accessible stuff that you just have to deal with it. If we look at what's been going on in the last week, we saw the, the Palo Alto vulnerability, the global protect vulnerability.

Cisco yesterday just dropped the arcane door, I think is what they called it campaign. It's got three new CVS that are impacting ASA's and Ftd firepower, threat defense, and I think that those are critical things that you have to look at because those are systems that are sitting there with public IP addresses that anyone's going to be able to poke.

The other thing, though, is your user base. And let's be honest, people are going to click links the number of times in the, forget the enterprise. The number of times that I've had family members and friends call me and say, oh, I got an email that said I had to pay a, a, a fee on a UPS shipment, and I clicked it and gave them my credit card, but I don't think it was real or.

I called I called tech support because I had a pop up when I visited a website and it said I had to call them and they wanted to remote into my computer to fix stuff or, people click these things all the time and the same people that are, my family and friends clicking these are people who are employees.

Enterprises and organizations. So you really need to think about that end user desktop, how it's sitting, what you can do with it. And what does that user have either on the desktop or what do they have access to? And and start to assign asset values, right? Is, is this a critical server? Does this server have financial data on it?

Because quite honestly, if you've got a server that's processing credit cards versus a server that's serving your static web page. I would say one is a little more important than the other at the end of the day. So I think taking asset values into account is really important. And I think thinking about those two spaces is really the, the critical things that you want to think of.

It

Neal Dennis: There's the mute button. So I think from a, from a vulnerability management perspective, I think this is a fun exercise where if you're doing those types of assessments, I think those types of assessments let me back step. If your vulnerability management team has done their job or is doing their job and they understand the infrastructure, at least at some significance.

To understand the prioritization impact. I think that's also potentially your list for prioritizing what you should start doing when you're building out your Zero Trust policy and, and what infrastructure you should obviously look to start wrapping that around as you build your layers into that. So I don't know if that's an agree or disagree moment, but I would like to imagine that the things you prioritize from an updates perspective are the ones you should obviously prioritize from securing in as to a new modality.

Tyler Reguly: Makes perfect sense to me. Yeah.

Neal Dennis: Yeah. What I heard is I'm going to go harass you. You're going to have the prioritization because you're my vulnerability management guy on my team. And you're going to help me build my Zero Trust policy from that prioritization procedures that you've built already on my behalf. And I'm going to check the box with one less thing I have to do.

Tyler Reguly: Nope. That makes sense to me.

Then all we got to do is sit down and figure out how we're going to fit in whatever policying or benchmarking mechanism we're going to use, which I don't want to derail the conversation, but I just want to point out that way too many vulnerability management programs don't take security configuration management into account.

They either treat it as two separate things, like often SCM still lives with IT people, I find, and not always living with security and CIS benchmarks or DISA STIGs or whatever policy you want. The number of policies, especially once you get into various governments implementing their own policy, there's so many out there that you might have to adhere to understanding which ones you, because of regulatory reasons, need to apply to or comply with, and which ones you should from a basic security hygiene standpoint, once you apply those, the thing that I've always found really cool is that, Yes, vulnerabilities are a concern, but there are things that prevent the risk of exploitation from either occurring or minimize the risk of exploitation happening.

Zero Trust is obviously one of those. You can try and prevent pivoting around the network, hopefully restrict them down to a single system, but If you go a step further and you've got a properly applied configuration on the box, the box is securely locked down with a, again, I'm going to go with CIS benchmarks because I think they're the most well known.

So I'll, every time I say CIS, just know I'm, I'm just using a generic term. You lock them all down and use the full CIS policies and you implement level one, level two Of those policies, you end up with a relatively secure box and a lot of other ways as well. You can have your Zero Trust network.

Now you've got your hardened device. And now patching your vulnerabilities is just one more layer that you're adding on top of that. And so I think it's really about putting all those together. And to your point about defense in depth and layering the onion it's I'll go with a different one.

I hope I'm still here. It's a trying to reconnect. But I'll go with a, a different one and say that it's almost like you're building a lasagna. Again, I'm a big guy. I love my food. But, you've got to, you get that base down first. And then it's just about stacking those layers on top of each other to, to get to a point where you secure yourself as much as possible.

Elliot Volkman: is

Neal Dennis: with a good lasagna. My family's part Italian on my mama's side. So that's a great analogy for my stomach. I know I don't look it, but.

Elliot Volkman: University

Neal Dennis: yeah, there's a lot of lasagna packed away behind these, these these layers. No, so you're, you're talking about some of the benchmark items here and you come back to CIS and, just cause.

Familiarity or possibility. Like you mentioned, you think that's a good standard. Are there out of the host of standards and process flows, CIS being one of them, are there other recommendations or other things that people should look into if they're just really getting started from that consideration?

Echelons and things that you would suggest to go poke and prod so they can get a better understanding of where they really should be from those benchmark standards? Yeah,

Tyler Reguly: So I think I like CIS and I like talking about CIS because. It's almost like entry level, like it's table stakes. You want to get in there and, and the fact that they break it into, so if you're not familiar with the benchmarks, they break it into various levels. And here's the things that everyone should do.

Here's the things that you should do if you're a bigger organization with a security team. And here's the things that you should do if you're like a nation state target type levels. And so that first one, that table stakes level one stuff. is simple. It should not take a lot of effort on the part of an organization to implement it.

So that's why I like talking about it, because it really is table stakes. Now, when you want to move forward from there I think it's important to think about who you are as a business. And that's where I think the regulatory policies start to come into play. If you're doing business with the government, dis a stakes are going to be very important to you.

And you better know that. and what they contain. If you are payment card stuff, PCI obviously is the standard you want to pay attention to. So I think that NERC SIP for energy, that's a big one, obviously energy companies. I think it was last week, the FBI issued another warning about potential nation state attacks coming in against infrastructure.

Those are all big ones. But I think really. When we're talking about the security configuration management space anyways, I do think that CIS is just where you start and then just build from there based on the, the vertical that you find your organization in.

Neal Dennis: that makes sense. So shifting slightly. Back into collective defense and CCTX a little bit. So you talk about your participation there in that community and your involvement within that particular group. So thinking once again about a little bit about standards and impact and what that means.

Are you finding that in this particular community, and this isn't to call out the efficacy or quality, but just in general in a community perspective, Are you finding that these types of discussions are. Are taking place in a, in a good light and, and having good interactions. Are you finding that there's still people coming along and yeah, maybe I'll talk with you about it or, or not, or, is there good involvement from the community at large when you offer up these chats?

Tyler Reguly: yeah, I, So I, I've been we've been a member of CCTX for a while. I didn't originally attend the meetings and I started attending them last year sometime. And I think the first thing that stood out to me and I hope it's the same for all the other ISACs that exist, that they're all like this because it's phenomenal, is one first of all, and foremost, and I just want to give a shout out to the people that run CCTX, the commitment and care that they put into it and the number of new programs and features that they start up to try and get the community collaborating is just phenomenal.

For example, giving me the space to run. A vulnerability community of interest and bring together like minded individuals from across Canada to talk about it. And the participation in those has been absolutely fantastic. If if my answers don't give it away, I like to talk. So sometimes I worry about monopolizing the time at these sessions, but luckily they go, the full hour long meeting.

Every second Friday for that one with almost no silence, we have our weekly Wednesday meetings. The CCTX runs same thing. Those are amazing. The level of sharing and communication and question asking that happens really impresses me. I enjoyed a lot. I've, I've learned a lot. And I think there's a lot of really cool things that come out of those types of sharing situations.

And I think anyone who's, Canada or not in Canada, but maybe you're in, maybe you're in financial and FS Isaac is an option to you or something, or, maybe you're a government in the U. S. and you can get into the multi state Isaac or something. I think there's lots of options out there, and if you have these things available to you, you definitely should be taking advantage of them because the amount of intelligence you can glean from them is way more than you'll ever accomplish on your own

Neal Dennis: Hey man, I am, I am fighting hard Elliot to not turn this into a collective defense podcast

Elliot Volkman: mean, go for it. It's yours to take.

Neal Dennis: but, and we'll bring it back around, but

Elliot Volkman: Okay.

Neal Dennis: are presenting.

Without member engagement, without members coming to these meetings, openly discussing things. And let's be fair, it's a Canadian meetup. So nobody's going to tell you to be quiet. They're too polite. But. Getting engaged, having these discussions is what makes those communities at large impactful. You just show up, or for that matter, never show up, but you sign up for a membership, and you're like, give me a feed, and I'll call it a day.

Good luck in five years, or less, because if too many people do that, then there's no quality, because these smaller communities, or these smaller management, with these bigger communities, aren't able to go out and effectively research every nitty gritty thing on their own to impact their membership.

Especially in a community like CCTX, which is a diverse pool of people. It's not just one focal point. So engagement involvement in the communities that you're in. ISACs, ISALs, CCTX, private sharing communities, whatever they are, trust groups. Has to happen for that community to continue to move forward.

And so it's people like Tyler here that, that obviously make that an impact for those communities. So you may say good things about CCTX, but I guarantee you they're, they're way more happy to have you there than, in general because of what you're doing within the community. So that being said, to bring it back after my little rant and soapbox moment A, get your butt involved in an ISAC, ISAL, trust group, something like that.

And if you happen to be in the right industry verticals, get involved in multiple. They'll pay dividends the more you give back into them. But the last piece, back on policy procedure, vulnerability management, things like that. The other thing I love about these, you have people like yourself that are in these communities that have this breadth of knowledge where I can solicit some kind of request for information or a survey, or just a phone call in a group meeting, right?

And ask these questions like we're talking about here. Hey, what's your take on CIS for, for a benchmark? And just like what you, I can get that from you in those communities and, and my ability to grow. Moves beyond my own four walls because now I've got your wonderful expertise to help me.

And so taking advantage of that. So anybody who's listening to this, that's in CCTX, whatever the next call is. You got your vulnerability management guy here. Go harass them. He's got wonderful stuff to share now, flipping this around a little bit and hopefully trying to get us back on track.

Tyler Reguly: I don't think we'll ever get

Neal Dennis: no, no, we're not.

We are way out. When we think about so we talked about benchmarks and the standards a little bit, CIS table stakes, and obviously thinking about your industry vertical to grow this, and we think about uh, prioritization within the aspects of what's available, and then maybe taking that to hopefully leverage that to prioritize your Zero Trust adoption policy and where you need to go.

What other kind of tidbits? So we think about those two big key aspects. What's something else that maybe we should consider along this journey, even if it's just more pure vulnerability management play to remind people again of key aspects here as they grow into that maturation cycle.

Tyler Reguly: I feel like that was like a softball to queue up me saying CVSS, but I'm not sure I want to say CVSS. I one of the things that I think CVSS has done a good job of spelling out, finally, is that it is not a risk prioritization methodology. It is It is about talking about the severity of the vulnerability in context of every other vulnerability.

It doesn't tell you the risk behind it. And I think that's something a lot of people get wrong. A lot of people want to take CVSS and immediately say this represents the risk. It doesn't. And so they, they've got that text in their documentation. So I think CVS is one of those things that you just have to use at this point.

Everyone uses it as a standard. Doesn't matter if you go to a Cisco page, a Microsoft page. If you go to NIST and look at NVD CVSS, CVS, CVS, CVS, CVS, CVS, CVS. is there. It's something that we use. It's something that we can make comparisons with, if nothing else, when we talk about vulnerability against severity, not risk.

We have CVSS v4 out now. If you haven't read it or looked at it it does make improvements, but also adds complexity over past versions also removes some complexity, thankfully no more scope. Although there is. I have issues with the use of the word penultimate in there.

If you go read the entire standard and see penultimate it appears that whoever wrote it thought it meant last and not second to last. So the penultimate provider is who should be giving criticality in some cases. And that seems odd to me. It thinks who I think whoever is at the end of the chain providing it is probably who should really do that.

So that's, that's really my only complaint. I think with before, I think before is a huge improvement. Otherwise over previous versions. And so it's nice to see some, some people start to adopt it. I find the problem and we ran into this problem when we went from, v2 to v3. Now we have the problem with v3 to v4, is different organizations are using, different different versions.

And so we're getting adoption rates that are widely varied. And I just said, and now I'm going to contradict myself. CVS is great because you can use it to do those apples to oranges comparisons because you have something that's standard. When you have somebody who's using three and you have somebody who's using our three dot one, I should say, and somebody who's using four, you can't do that severity comparison as easily.

Yes, it's useful. Yes, use it. Do not consider it a measure of risk and keep in mind that your vendors may not be using the same versions. And you need to take that into account.

I think, the thing to really think about when you're talking about vulnerabilities is the source of information and who's telling you that it's important.

There are in the vendor space who, who benefit from hyping a vulnerability giving it a name, giving it a logo making a web page for it and putting out a big press release that the sky is falling when maybe it's not is, is just financially beneficial to them. There are. media organizations that are happy to pick up and run with vulnerabilities, even if they aren't the biggest thing in the world.

And, then you get something that makes the news, something that your boss sees because it was in a headline in some article somewhere, or, it was on the six o'clock news last night. And they want to know what you're doing about that. And they want to shift all their resources into that because they saw it on the news.

But it may not be the most critical thing for your environment. It may not be the most impactful thing for you. And I like to call it media hype. I like to talk about media hype vulnerabilities. I think that that's something that you have to be aware of when you're prioritizing what you're fixing.

And it's something you have to give a good answer about when you do have your leadership come to you with something that you know. Is being hyped by the media, but maybe isn't as critical as three or four other things that have come across your desk.

Know who your vendors are in your environment and know what they're saying about their own vulnerabilities.

I think that's important. Now, do some vendors try to downplay their vulnerabilities? Of course they do. Anybody who's followed, Loop back to CVSS. Oracle, once upon a time, modified CVSS because they didn't want to use complete when they were talking about a database compromise because it wasn't a full OS compromise.

So they implemented their own in between partial and complete for CIA called partial plus. which allowed them to downgrade what would have been complete, complete, complete to partial plus partial plus partial plus. So vendors definitely do that too. But at least your vendor is going to be able to tell you, Hey, the sky is falling.

This is something we want you to fix right now. If your vendor is not screaming at you, they're not sending you alerts. There's a chance that maybe the media got it wrong because I know that a lot of companies out there, when they think something is serious, They will yell at you. They'll say, Hey, fix this right away.

It's a big deal. And again, I think we're seeing that right now with the Cisco one. And the fact that we've got a massive Talos blog post out covering all the details about it. It's got all the IOCs in it. They've done a great job there and we've got patches out for. At least the known vulnerabilities, the initial attack vector is still unknown, so there's still some risk there, but they are putting it out there, being open about it and presenting it, and I think that's a really good thing to see from a vendor.

I think that's a great example. Other vendors can take away, and it's a way to develop a lot of trust in the vulnerability management processes. If you can sit there and see that your vendor is sharing all this information with you, that's a huge win.

Neal Dennis: And Cisco obviously has a wonderfully new shiny penny for log management services, so they should be able to see more stuff. Yeah, I, I think that's awesome because literally just plus one, the whole entire fact about what we talked about, from a vendor trust relationship, because as an Intel analyst, which the, the, the approach you just described on how to manage that data to make it intelligent for you at a base layer, that's, that's Intel 101. When you consume something from a third party source, I don't care what they label it, I don't care what the feed is called, unless it is purposely curated for your environment by that vendor, and they know you and they're doing this for you kind of thing. That is not intelligence, that is data. And it's the same thing with these with the CVSS, it's the same thing with the vulnerability pages, things like that.

You, I don't go and consume every IP hash or miter framework, fingerprint, TTP, Yara, whatever it is I'm getting from all my sources. I have to prioritize them. I have to rack and stack those things to make them actually intelligent for my environment. And I think for you talking about, vendor trust and relationships around that, that that's a great way to start.

If the vendor obviously is telling you, Hey, you're screwed. Do it now, do it. But if you've got. And some, and a lot of corporate networks and a lot of larger enterprises, they're looking at six, 700 minimum sources of, of software and product that there have in their environment at a minimum. So that, that supply chain aspect of things, and, there's things that are echelons down like SolarWinds was for people, SolarWinds big fricking company, but most people didn't know they had it. And this goes back to. Understand your environment, understand what your company's priorities are to keep the dollars and the lights on.

And then you rack and stack from top to bottom what that is. And then hopefully you understand your bill of materials for those key resources. And then you can maybe start building that relationship with the vendor, depending on the scale of your company. Or at least some awareness within what that factors.

But to your point, There's crap. It's all crap until you've been proven otherwise. And don't just take everything for what the third party says it is. Make it intelligent for you. And then hopefully you won't have to get up at Saturday at 3 a. m. after having a wonderful binger on Friday night to hear your sister yell at you because he read some news article on Ars Technica.

Tyler Reguly: you put that much more succinctly than I did.

Elliot Volkman: appreciate

Neal Dennis: from that vulnerability aspect. So I love it. I think it's. I think it's awesome. I think it's hilarious as well as awesome that you've considered that and obviously deal with that as makes sense.

Like you should. And it's, it's just the the parallels between my life and your life in those same veins is about the same, because you'd get a phone call as a vulnerability management guy. When that Ars Technica blog comes out at 3am, but the Intel guy is also getting a phone call to talk about where, who is actively doing X, Y, and Z while you're getting told to go fix it.

Tyler Reguly: Yep, or write coverage for it as we do. Yes, which is we haven't talked about

Neal Dennis: Oh, oh, yeah.

Tyler Reguly: You talked about, you can't turn on all of your feeds and you can't take every Yara rule You're sent and everything you're given and I just thought about the fact that you know That's that's one of the big things people don't give enough Thought to the false positives that you start to generate when you turn on everything and you just take everything and you just throw all the noise out there and and being in, in that space and, watching, that's what my team does, right?

Is we, we ship the content that powers a VM tool. That's, that's what we've done for, That's what got me into this was starting to write content that powered a VM tool 18 years ago. I've spent a lot of time and seen a lot of changes over time and how you go from something that is quote unquote, false positive prone to a direct condition test.

And I, I don't want to name the software, but there's, there's one example that I absolutely love. And this is, this is just gonna be a pure vulnerability thing, but anecdotally, I find it fascinating. Back in 2014 A product from a very large two letter company had a vulnerability in it that allowed anyone who could communicate with the open port that was just listening by default to execute commands on the host.

It was just there. It wasn't technically a vulnerability because It was a feature that they had put in the product. So it, it came to light, came to the attention of other people. People started exploiting it, exploit showed up in all the popular exploit frameworks for it. It was very easy to take advantage of, and it was, and I'm going to do air quotes patched.

There we go. I got to get them into the frame, but what they really did is they introduced an option to turn it off. So fast forward, that was 2014. I just had a conversation with somebody who installed the 2023 version of this software. And we reported this 2014 CVE on it. And they said, this is impossible.

This is a false positive. And I said, it can't be a false positive. It's a direct condition test. We're actually testing to see if that vulnerability exists. So we ended up getting the software, installing it. And sure enough could exploit it. That checkbox is still there to disable the setting, but it is still enabled by default on the latest version of the software.

And so I guess that's an example of where vendor trust doesn't work, but I think it's a great example of how. You have to know the type of content that you're turning on and running and know if it is something that is the VM world, there used to be this term a banner check. Is, is it a banner check or is it something that's actually testing the condition?

Because, You can alleviate a lot of your stress, a lot of your pain points, and a lot of your back and forth with either your operations team that's involved with dealing it with it, or your vendor by knowing sort of the, the fidelity of the check that you're dealing with. And so I think that's an important thing to throw out there, too, that organizations need to think about is how much can you trust your detection?

Elliot Volkman: the,

Tyler Reguly: a VM problem, right? That same thing exists in the IDS world. It exists in the SCM world. It exists anywhere that you have content or signatures or whatever other term you want to use coming from your vendor. The antivirus world. I there's a Python library that I can't for the life of me install on my computer without turning off windows defender first, and it's a valid Python library but it.

Windows Defender wants to flag it and remove it every single time. So there are, you have to, you do have to consider those things as well and make sure that you have a high level of confidence in whatever you're using for whatever method of detection you're performing.

Neal Dennis: Yeah. I love the the wonderful, it's not a bug, it's a feature response from product companies. Now we meant to, we meant to do that and break the product. So thinking a little far forward then on this. So we. Vendor relations, supply chain, there, there's a whole two hours worth of a podcast just talking about supply chain risk mitigation and how to handle those and build those relations.

And so for LA, maybe that's a fun one where we get a couple of I think that'd be a fun one to have just, someone working at a company vendor side of the house, a couple of people to talk about what they would like to see from their, their client base. That'd be a fun chat. That being said, I I'm curious about your take on, on how often you see someone obviously pushed the patch, but don't test the patch perspective, or how often someone should realize that when they push the patch, they should test the patch.

Tyler Reguly: Yes I like to call this the patch management versus vulnerability management debate. Because those are two very different things and I, I wish I could make more people realize that. All the time. And I've, I've got a few examples. I think the biggest one is just, we'll just say it Microsoft in general.

If you ever take a look at any patch Tuesday and I've taken a look at hundreds of them then you'll know that there are always vulnerabilities that have post patch configuration steps. In order to fully remediate them. And I can't tell you the number of conversations that I've had over the years with people who WSUS rolls out the updates for them.

Oh no, I pushed those updates. Look, the update is installed. That's great. But the update was step one. Did you then go in and apply this registry key that turns on this feature and this registry key that changes this value? And the answer is almost always no. So I think that's a huge one. The best one, and we gotta go back in time a little bit for this, but IIS famously had an issue from Windows Server 2000, all the way up to about Server 2008 ish, where if you were on a service pack, and you, so you, let's say you installed Server 2003, and then you updated to Service Pack 1, you updated to Service Pack 2, Service Pack 2 initially you then turned on IIS.

It would grab those core unpatched IIS files that had come with the installation. It didn't have the replacement Service Pack ones on it. So you could be running Server 2003, Service Pack 2, but your IIS was actually at the non Service Pack level. And so all those IIS vulnerabilities still existed.

And so we dealt with dozens of customers who would come to us and be like, no, no, no, I'm running Service Pack 2. This vulnerability says it doesn't apply to Service Pack 2. But you ended up in this weird state where the service pack was half unapplied and, but because you never tested it, you never even looked to see, do I have the right files afterwards?

I think And I, I just suggested this. So you talked about, great phone calls coming out of, um, like CCTX and other organizations like that. I ended up spending an hour on the phone with another member of CCTX talking about VM and SCM just last week. And one of the things I pointed out, I think an often overlooked feature of FIM, file integrity monitoring, is actually verifying that when you apply a patch.

all your files get replaced properly because that's what a patch usually does in the Windows world is it updates files. If you apply a patch and you have no file changes on your system, you probably didn't apply that patch. Something to keep in mind. So I think there's lots of ways to validate.

Often Windows makes it really easy for you, did the file version increment and often, They make that available for you in file manifest. They're not as accurate since they went to the new patching method as they used to be. There's a lot of blank data in their manifest, but there are lists of file versions out there.

Then you can always check it yourself, check the date, check the file version, check your FIM tool test it, verify with a vulnerability management tool. There's lots of ways to test, but that is a huge problem of people not validating that a patch is properly applied. It's everyone wants the What was it called?

Runco? Runco? Yeah, right? The set it and forget it approach of, of patching and it's not that simple. You have to do follow up.

Neal Dennis: No, that makes sense. I love it. And Elliot over here, trying to chat with us while we're talking. Oh yeah. Fair play. I'm getting my,

Elliot Volkman: guess I'll just chime in. Yeah, we got, we're going to give him the soft exit.

Neal Dennis: gonna call you out. No No, so I I actually don't think I have any other questions to be fair I I think from a curiosity perspective I, I have a rabbit hole that I want to talk to, but not on this call, but I will, I will say for my part, I one find it fascinating that, that you're a part of CCTX and involved.

And I love that. So thank you for doing your part to. To help that community and that engagement. And I'm going to probably be harassing you through Rob, Rick, and Gina. Simply now that I know who you are, so be prepared.

Tyler Reguly: I welcome it. Awesome.

Neal Dennis: And then last but not least, I just iterate on once again, that, I think there's a lot of really.

Cool kind of potential to leverage this type of teaming this, the vulnerability management team and that crew to help build your Zero Trust policy from the ground up, right? Not just to include it as, Hey, when should we patch, but like legitimately take advantage of the work that a team. Of, of Tyler's has done to, to understand the nuances of the infrastructure and understand how to keep from getting a phone call on Saturday morning.

And I think those are key aspects that when going down the Zero Trust pipe, you know, those are questions that you're hopefully asking and, and hopefully don't have to ask. If you have that team already established, or at least not have to ask as many questions around. So I think that to me is one of the biggest key takeaways from, from a pipeline procedural perspective, obviously get you all involved and the sooner I can get someone like you involved at my organization, the less work I have to do to start the rack and stack part of that procedure potentially.

So pretty cool. I'll throw it back over to Elliot and

Elliot Volkman: All right, I've got 1, very short question, which I think you've sort of kind of.

You talked about the why, but let's say hypothetically, you're a strange introverted person and you're a little bit uncomfortable contributing and being part of these communities. What in your perspective would maybe ease people in?

Cause it, these things are established. They've been around for a while, but yeah. Are there mechanisms in place or what is your general thought of like, how do you throw yourself in there

Neal Dennis: join a Canadian community

Tyler Reguly: I, I would say, and I, maybe I talk too much for this to come across, I like to call myself a very shy introvert. I, if, if you see me at RSI, I'm probably the person, not that I'm going, but, if you see me at a conference, I'm the person standing in the corner, usually not speaking.

I don't like to talk to strangers. I, I will talk forever if you start a conversation. But I don't want to introduce myself to you. And that's not that I don't want to, it's that I'm completely terrified of the idea of even considering that. And so for me, I started joining these calls and I sat in silence week after week after week, just listening.

And I, I don't know when a switch flicked for me, but all of a sudden I was, I was sitting there on a call and something came up and I was like, Oh, I can talk. I know these people now. I, they had never heard my voice before, but I had listened to them talk so many times that I felt familiar with them.

And I think, but I think the biggest thing to take away is that everyone at these groups is just looking to improve. They're just looking to better. Their organizations, the community itself. And you are part of that community. So if you can give back in any way and that's how I look at it. I again, I say, I'm shy.

I taught college for several years, developed a number of college courses in cyber security. And afterwards, when that ended, I still mentor I've done some, some teaching for community local teenagers on Intro to Programming and stuff, and all of that stuff is not because I want to do it, because I'm terrified every time I do it, but it's because I want to give back.

And as somebody who's in my position. That is a very easy way for me to give back. Everyone's Oh, that's so great that you're mentoring these people. And I'm like, no, it's really easy because I know it all. I don't have to really do anything. I just get to have a conversation. And so if you're in an area where you're comfortable, everyone else wants to hear what you have to say.

They're excited to hear what you have to say. So just take the opportunity to turn off the mute button and speak up. And it's going to foster amazing relationships because it's been incredible for me every

Elliot Volkman: I love that. That is very similar in nature to why we essentially built this podcast. Plus to rag on really bad marketing and people abusing the Zero Trust time. If anything else, it's a easy networking opportunity. Obviously you. Obviously have been basically in the same org for a long period of time, but there's a lot of movement.

If nothing else being able to connect with your peers and other organizations, there might be an open door for you somewhere down the road. So that, that certainly makes sense to me.

But with that all said it is at the end of the hour. It is the end of our time, but you have certainly covered some things.

That Neal is very interested in and light touches on the vulnerability side. So maybe we'll come back around for around two for some of that. And we'll, we'll build like a panel conversation. So Tyler, thank you so much for giving your perspective. If our listeners are still, jiving along for this definitely check out some of Tyler's work because that your group publishes a lot.

A good bit of stuff and a lot of research. I, I'm definitely well acquainted with some of the research that comes out of your org and it, it generally is really impactful and top notch. So I'll, I'll throw that out there as well. So Heather, thank you so much for being here. Really appreciate

Tyler Reguly: having me. This was a lot of fun.

Announcer: Thank you for joining a Z T an independent series. Your hosts have been Elliot Volkman and Neal Dennis to learn more about zero. Go to adopting Zero Trust.com. Subscribe to our newsletter or join our slack community viewpoint express during the show did not reflect the brands, employers, or companies of our hosts, guests or potential sponsors.

Catch this episode on YouTube, Apple, Spotify, Amazon, or Google. You can read the show notes here.

For nearly three decades, social engineering, particularly phishing, has been one of the most impactful and financially draining cyber threats. Between security awareness training, email security gateways, generative AI, enterprise browsers, and a slew of other tech like EDRs and XDRs, social engineering has yet to be thoroughly thwarted. The reason for that is straightforward enough: social engineering is a psychological threat, not just a technological one.

In our last round of interviews from RSA, we chatted with Vivek Ramachandran, the founder of SquareX, who is attempting to tackle the challenge. Vivek also walks us through a more realistic perspective of how threat actors use generative AI today, which goes beyond the more unique what-if scenarios we’ve seen in headlines in the past two years.

Key Takeaways

• Social engineering and phishing attacks remain a significant threat, and everyone can be a target. The sophistication of these attacks has increased due to advances in AI.

• AI can craft messages that sound remarkably like someone the recipient knows, enabling rapid scalability.

• Social media platforms are becoming common channels for launching phishing attacks. Attackers exploit the trust that users place in these platforms and their contacts.

• Vivek Ramachandran's company, SquareX, deploys a browser extension that can attribute attacks and detect and block them in real-time, providing valuable information to the enterprise.

• Traditional technologies like Secure Web Gateways (SWG) have matured, and attackers can easily bypass them.

• Enterprise browsers solve the problem for a small niche group of websites but have adoption friction due to the inconvenience of having a dedicated browser.

Editor’s Note

It’s July, which means everyone will start disappearing for summer activities. Even if you have a road trip on the books, chances are you won't want to listen to cybersecurity-related chats (I know your family won’t), so we’re taking the month off. In the meantime, we’ll get some episodes booked and recorded and should be back in action in August.

Also, I kept a clear line in the sand between where I worked and our show, but I have since switched to a new role. To that end, I absolutely can’t discuss anything that happens over at the new spot, but I am working on a pilot series with a former colleague, Troy Fine, to discuss GRC and regulations since that was off-limits until now. Let us know if you have any suggestions for topics, but TJ will offer his unfiltered perspective as an auditor.

The Persistence of Social Engineering

Despite advances in cybersecurity, social engineering remains a significant threat. Today, everyone is considered a potential target, and the sophistication of phishing attacks has grown with technological advancement. As Vivek Ramachandran states:

"Phishing attacks have been there for a while. In recent times, I think they have gone ahead and become a lot more potent, primarily because of all the AI everything which is coming out."

Key points:

• Social engineering and phishing attacks persist due to the growing digital nature of our world.

• The sophistication of these attacks has increased due to advances in AI.

The Role of AI in Phishing Attacks

AI has revolutionized many aspects of our lives, including the nature of phishing attacks. AI can now create messages that sound exactly like someone you know (including a member of my family targeted by a clone of my voice), making it far more challenging to identify phishing attempts. Vivek Ramachandran believes:

While we have seen an increase of headlines that indicate threat actors are using gen AI to create malware, the most common scenario is a more direct spear phishing lure. A bit of web scraping, some copy/pasting, and a few prompts, and you have a series of lures that are highly personalized. Map that with other open source information about a company, who you work with and for, and abusing social account takeover, and you have a recipe for disaster. These platforms also make it remarkably easy to scale their attacks through automation.

Key points:

• AI has made phishing attacks more potent.

• AI can craft messages that sound remarkably like someone the recipient knows, increasing the chances of success.

The Infiltration of Social Media

Attackers are increasingly using social media platforms to launch their attacks. Whether through messages or links posted on Slack or WhatsApp, attackers are exploiting the trust users place in these platforms. Vivek Ramachandran comments:

"Attackers are not just using emails, They're actually they're trying to fool gullible employees to posting links on slack, WhatsApp, web, telegram, and whatnot."

Key points:

• Social media platforms are becoming common channels for launching phishing attacks.

• Attackers exploit the trust that users place in these platforms and their contacts.

The Role of SquareX

Vivek Ramachandran's company, SquareX, aims to tackle these issues by deploying a browser extension that can attribute attacks. This extension can detect attacks in real-time, block them, and provide an attack graph to the enterprise portal. According to Ramachandran:

"The moment we detect that an attack has happened, maybe, a ransomware was downloaded or a spear phishing campaign is in progress, we automatically block, rewind and then take that entire attack graph or how the employee ended up, ending in that location and sending it back to the enterprise portal where we can even do automatic remediation across the entire enterprise."

Show Transcript

This transcript was automatically created and is undoubtedly filled with typos. As usual, we blame the machines for any errors.

Elliot: Welcome to Adopting Zero Trust. Not so live from RSA Conference 2024. Today, we are going to be discussing there's actually a lot to discuss, but it is going to be a pretty simple topic with so many complexities and the challenges that has yet to ever be solved which of course is social engineering and phishing.

There's a little bit more that goes into it, but before I get into it let me maybe we can introduce yourself so I do not butcher your name as I am known to do. Vivek can you tell us a little bit about yourself where you were, obviously, that led you into these current shoes, and we'll go from there.

Vivek Ramachandran: Thank you so much, it is super exciting to be, on your show, especially live here at RSA. I'm Vivek Ramachandran, I've been in cyber security for the past 20 years. The last 10 years I've founded multiple companies which have exited. Thank you And really my speciality, right from the time that I started cyber security was really breaking security.

So I've done a bunch of research, discovered a couple of first in the world attacks, was a speaker at DEF CON, Black Hat, and all of these places. One thing led to the other, and that is really where I started Pentester Academy, a wireless monitoring company. And then all of those learnings, eventually led to SquareX today.

Elliot: So you could say you're probably a little passionate about our space. That is

Vivek Ramachandran: exactly what I sleep, dream, think, can't say eat, maybe one of the days they're going to have a pie, with security on it.

Elliot: Amazing. So you have obviously been in this space much longer than I have. So you have seen it grown, the threats, changes, TTPs, all that shifting landscapes.

Why today has social engineering not gone away? If anything, has it become worse? Why is it such a significant problem that organizations are unable to fight against?

Vivek Ramachandran: Yeah, that's a good question. Today, if you think about it, the whole world is digital, which is, no matter whether you're a mom or pop, grandpa, grandma, whoever, you're forced now to, transact digitally.

And that is really where compared to 10 to 15 years back, almost everyone is a tech product user. Unfortunately, technology has been growing in leaps and bounds when it comes to complexity, right? And, it's, most people are also very gullible, because they feel There is a sense of trust with whoever they communicate with.

Now, phishing attacks have been there for a while. In recent times, I think they have gone ahead and become a lot more potent, primarily because of all the AI everything which is coming out. So if you recall, back in the day, you used to receive, a very grammatically wrong email. But now, of course, with ChatGPT and whatnot, that sounds exactly like your boss, exactly like your friend.

But And this has led to, phishing and spear phishing attacks and all of that start to become a major concern for organizations because attackers have realized that the absolute weakest link in an organization is end users.

Elliot: I am so glad that you put it this way because I know it can be a little bit of a taboo subject to blame the users but that's how it works.

Social engineering is effective because it's not a technological issue. It is a, cultural phenomenon where people just want to believe and trust in what they have, which obviously loops back into that lovely world of zero trust where we trust and verify again. So building upon that maybe we can jump a little bit further.

And I think one of the main things that you called out, which I appreciate Is that you focused on the simple components of generative AI and how it can be abused. It's not necessarily people are creating ransomware and malicious code, which they can. Neil on our podcast has done that himself and he's done that in a legal sense for the record.

But Yeah, I would love to know. Maybe we need to get a little bit further. What have you seen? What is your organization seen? And then maybe we can talk about how you're helping resolve some of those threats, which are again what we call the unstoppable fish. It's just difficult to go through. So yeah, what kind of threats have you seen in the in that regard?

Vivek Ramachandran: Yeah, so I think you know, lately what has happened is attackers are targeting enterprise users across multiple channels online, right? And I'll give you examples, right? Imagine that, someone is targeting multiple folks on your sales team by sending them a DM on LinkedIn saying, you know what, we are super interested in buying your product.

Of course, and by the way, we've attached a small document containing details of, the order and you know how we want to move forward. Now, of course, every salesperson is going to be super excited to see this download open. Unfortunately, get infected.

Elliot: Yeah.

Vivek Ramachandran: So attackers are not just using emails,

Elliot: right?

Vivek Ramachandran: They're actually using, LinkedIn, they're trying to, fool gullible employees to posting links on slack, WhatsApp, web, telegram, and whatnot. And this is compounded by the fact that now we live in a hybrid work world, where on the same office laptop, people have their personal Gmail, signal, telegram, every single thing open.

So attackers have realized that, look, why do we have to go ahead, send you that phishing email on your enterprise email, which probably is protected by email security tools like material security and whatnot. Instead, I should actually be targeting your personal email or your LinkedIn account. So I think this has intensified the way spear phishing attacks are now happening.

Also with LLMs. It is super easy. Imagine today that I could train an LLM on your entire organization chart so that it fully understands contextually, who you report to, who your coworkers are, your latest LinkedIn post, and then it can actually craft a very interesting message, almost a just in time phishing campaign about something that you were super interested and you just posted about.

Elliot: Interesting. So you're saying that this really just Scales, urgency, which is one of those significant factors that make people fall for it.

Vivek Ramachandran: Absolutely. Absolutely. And I think this is going to compound simply because attackers, and we know that, every company is absolutely running right now to adopt LLMs.

You know what attackers are doing the same, in the hacker underground. There are actually, GPT's like bad GPT where malicious code can be generated, malicious campaigns can be generated, and where you can actually do all of this spear phishing a lot more, accurately when targeting a person.

Elliot: Interesting. So one type of social engineering tech that I've seen is tied to account takeover. Especially as you were referencing social, is that organizations, they have. I'm curious if you have any particular thoughts on that approach, and how, how much worse it's going to be now that maybe a model can basically crawl, see who the entire org chart is and know exactly who they should attack on a trusted site where you already have those connections?

Vivek Ramachandran: Absolutely. And, you brought up a very good point. And that is really where what attackers have started doing is, almost everyone has social media accounts, whether it is on LinkedIn, Twitter, it's almost become mandatory to be present in many of these channels, and people literally say, Hey, you know what, if you aren't out there, like you aren't even considered serious when it comes to, your corporate career now, to your point, What has happened is many of these social media channels have also become ways to message between users and to interact, right?

And unfortunately, this is really where once, let's say, an attacker can seize your LinkedIn

Elliot: account

Vivek Ramachandran: or probably a Twitter account, which you haven't given too much of serious thought about how to protect. He could immediately start connecting to your co workers, to your customers, who probably happily respond because they are hoping that it is just you.

The best examples I can give you is a lot of influencers have actually been targeted, on YouTube and where not

Elliot: interesting,

Vivek Ramachandran: where, if I remember, even, this very big channel Linux tech tips, if I remember, right? Oh,

Elliot: yeah,

Vivek Ramachandran: His entire account was taken over completely.

He was locked out. And had he not been an influencer with close to 100 million followers, I'm guessing he would probably never have gotten that account back. So this is intensifying where attackers are figuring out that well, you know what your identity is spread across both your personal and your enterprise channels

Elliot: that I appreciate that you called that particular piece out because we wrote an article probably last year, there was a massive wave of linkedin accounts that were having account takeover issues, but it wasn't a linkedin issue.

Users are in multiple different breaches. And of course, those passwords are reused. And it's just like this horrible chain and cycle, where if you're hit somewhere else, then there, there's all these different components. And it's hard for an organization to be able to protect against a scenario where your user, again, ends up being the weak link.

Vivek Ramachandran: Exactly, and you brought up a very good point, right? Organizations are very used to protecting resources that they own, right? So your corporate email is something, you know what the organization owns, they can do whatever you want, whatever they want. Now your personal email, your personal LinkedIn account.

If an organization reached out and said, you know what? We want to protect this. You would view that as an intrusion, into your privacy. And unfortunately that's really where they really can't do much, but most employees would end up opening the same account on their corporate laptop. exposing, that device.

Elliot: Yeah. And obviously organizations can block social networks and all that. But in today's world, being on LinkedIn and all these other sites, it's kind of part of the territory, even as cybersecurity practitioners, that's one of the sort of safer zones. No one's going to be on like meta properties, for example, but yeah.

So let's pivot over to your world. You have ways to help resolve some of these things, which again, are considered unsolvable. Maybe we just start right there. What have you built? How are you protecting organizations? How are you trying to reduce some of that blast radius, right?

Vivek Ramachandran: So I'll start off with the problem that organizations face and how Square Enix is solving it So I'll give you an example where you know, an attacker is approaching organization, employees across multiple channels like LinkedIn Twitter email and whatnot and Sending them a link or a ransomware which finally gets downloaded, right?

And once it downloads onto your employees computer God hope that your endpoint security picks it up. But for a second, let's give endpoint security some credit and say, you know what? It does something. Now, at that point, your IT security team is looking at it and saying, Okay, all endpoint security is telling me is the Chrome browser ended up downloading a malicious file.

So he goes to the user and says, Rob, what did you do? And Rob is he either doesn't remember or doesn't want to admit. And this same pattern ends up, going across the whole enterprise. So what Square X is really doing is we deploy our product as a simple browser extension, which can run on any browser.

And really, we sit down over there and we can attribute that attack. So the way we do it is as an employee opens a tab and kind of goes through, different websites. The moment we detect that an attack has happened, maybe, a ransomware was downloaded or a spear phishing campaign is in progress, we automatically block, rewind and then take that entire attack graph or how the employee ended up, ending in that location and sending it back to the enterprise portal where we can even do automatic remediation across the entire enterprise.

Interesting. So the very first time that Rob faces this. Immediately, everybody in the enterprise is automatically secure. Now, what this helps the enterprise admin with, is of course you know that an ongoing attack is happening. Endpoint security had no visibility into the browser, and now you have visibility into that.

Most importantly, you can even figure out your most insecure users, who unfortunately are, the target of most of these attacks.

Elliot: Interesting. Obviously higher value targets like financial Departments and whatnot. I'm sure there's probably other ways to keep an extra eye on those folks.

Vivek Ramachandran: Absolutely. I think, your finance department, customer support is a very big target. Especially

Elliot: recently.

Vivek Ramachandran: Exactly. And human resources, because they are used to getting things like resumes from unknown people. And they're expected to open it up and view it.

Elliot: That is a really good point.

So I'm curious, there are obviously other I'm sure you don't like to talk about competing solutions and what have you, but there's enterprise browsers today Which might be downstairs and ranking and I don't know maybe a billion dollars somewhere. They're pulling a lot of money There are other technologies which are legacy and is not tied to the browser like email security gateways So I'd love to know in your perspective how you're are you trying to cover all of that?

Multiple use cases and resolve some of these other things, or are you trying to attack a specific use case and niche? Yeah. How are you? How are you approaching this?

Vivek Ramachandran: So that's a great question. So I'll begin with the more traditional technologies like, SASE, SSE, secure web gateways. And really, these were cloud proxies.

And the whole idea was your organization's web traffic, as your employees are on the browser, goes through these SSL intercepting, SWG proxies. And in the cloud, they're supposed to look at web traffic and that's really just network traffic of HTML and in for application layer attacks.

So you already see how difficult that jump is going to be. SWGs were invented almost a decade back, and to be honest, they have come of age. It is fairly easy for attackers to evade secure web gateways, do bypasses using last mile reassembly attacks and whatnot. Yeah. And hence, hopefully, most organizations realize that apart from, some very basic URL filtering and whatnot, they aren't very good.

Interesting. Now, coming to enterprise browsers, I think the whole genesis of that field happened primarily because I think, enterprises felt that at least for their internal applications and SaaS applications, they wanted to make sure that they very tightly control, that access control part.

So enterprise browsers are complete browsers that you have to download and install, most of them off Chromium. And once you do that, your employees can only access your internal portals and SaaS, websites like Salesforce and whatnot through those browsers. So the problem that they solve is just for that small niche group of websites.

Downside of this is, unfortunately, we all use a cocktail of browsers, right? We use Chromium for something, people have their social media open on Firefox, brave when you want to visit those news websites, which are, completely full of ads and whatnot. So the biggest friction, within organizations is to force users to use their browser which is the enterprise one.

The second thing, of course, is, being based off Chromium. A lot of times when vulnerabilities are detected in Chromium, there is this huge timeline between that detection and these browsers syncing, those patches and fixing it. Interesting. Lastly, from what I've heard, the kind of adoption has had a lot of friction simply because of the inconvenience of having a dedicated browser.

Right now, we don't specifically look at access control. What we look at is. The wild west, malicious websites, files, networks, scripts, and whatnot. And because we deploy as a browser extension, which can work on any browser hey, organizations can adopt it in a matter of minutes. Interesting.

So

Elliot: I'm curious on back in the day, for an org that had an email security gateway, they would have crawlers that would go across the web to basically find anything that looks a little iffy. Especially if they're using popular brand names and they're on domains that don't belong. What is the technology behind the scenes that allows you to attack that?

Is it like, you're reliant on someone to report something, which is obviously how most of that email side work. But yeah, how does that technologically work to help reduce some of the stuff that even like the standard Chrome browser doesn't, avoid a phishing lure?

Vivek Ramachandran: Yeah, no, that's a great question.

I think. Email security gateways, good example. Now, unfortunately, when you crawl the web or any target link from your cloud servers to check whether it is good or bad. Yeah. It is fairly trivial for attackers to detect that this is actually coming from a data center. And serve you a nice, sweet, innocent looking page.

Now, this is really where it is very important to assess the threat from the perspective of the user while he's surfing the web. Yeah. And by sitting in the web browser. We have that vantage point where we can look at everything on the web, but from the user's perspective. What we do is, we deploy as a browser extension, and that monitors every tab, every page.

We look at DOM changes, we look at browser events, we look at network events. And then we correlate all of that, and we run ML models right there in the browser using WebAssembly. So the best part is, we are where. The security metrics and the availability of, raw data is at its maximum, which is in the browser itself.

Now, had you to sync all of that data in real time with a cloud service to go about detecting attacks, you can imagine the sheer amount of megabits that you would have to go ahead and sync, making it absolutely impractical. So we feel that if you have to detect attacks happening against your employees on the Internet.

The best place is actually to sit in the browser itself. That's super interesting.

Elliot: I'm trying to think of a way to like properly position this. Back in the day when I worked with an organization that focused on the, capturing lures and CT sites, trying to take those down. A lot of what you were saying is the defensive mechanisms.

And at any time there is a new popular way to track or try to I don't know, identify these issues, they would change their techniques again, to the point where if you're not on the right device, maybe not IP address, but they have so many defensive measures to make sure the right target is seeing it.

So you're basically saying that is how you're resolving it sits on the browser. So it looks exactly like the user in the exact experience.

Vivek Ramachandran: Exactly. So almost imagine us as a security co pilot. Like a little parrot, like sitting on your shoulder almost looking down and seeing exactly how you view the internet and, God forbid you are on an attacker's website, then how the attacker is going ahead and serving that website to you and that gives us a full idea about detecting the attacks and all of that because, hey, we have access to every single thing right there in the browser.

Elliot: Very cool. Okay. I love that you're basically trying to attack their defensive measures because I know there are solutions out there, but you're able to do that. And eventually as you gain, I'm sure in popularity, they will try to identify that there's a little writer on there or something to that extent, but that just comes with the territory.

That is why it is impossible to fully squash out cybersecurity challenges.

Vivek Ramachandran: Yeah, absolutely. I think, and that's a good problem to have because, that validates our thesis. And really, I think, from that perspective, it's going to be very difficult for attackers simply because, they'll always be guessing and they probably have to figure out if something like Square X is really sitting and watching their every movement, but you're absolutely right.

And to be fair to attackers, they learn, they evolve, right? So I'm guessing at some point of time, there is going to be, that little arms race. Yeah. And hey, that's going to be a great problem to have. And the team and I are excited for business

Elliot: to get there.

Very cool. I want to totally derail this conversation only because I am intrigued. You're not just a technical co founder and not just launching things that, companies have sold and been acquired, but you have a very creative background to your colleague over there shared I guess what would be a comic book of sorts.

But you. For a young organization, and I say that trepidatiously a little bit only because you've done this before, but you get branding and it's weird because cybersecurity brands are terrible. They're ugly, but you've got like mascots, you've got character in there. So I've got to know like where does that come from?

Because that is complete opposite side of the brain.

Vivek Ramachandran: Yeah. So I can tell you something. It was around a very interesting incident. So once I sold Pentester Academy, my previous company, which I exited. I had a little bit of time and one of the days my elder son came to me and he said, Dad, what do you do?

And, he's old enough. So I told him, Why don't you go Google dad's name?

Elliot: Yeah.

Vivek Ramachandran: And I was very curious. You know what the internet would tell him about me. And what he read was, hey, Vivek Ramachandran is, one of the top hackers. And then he googled the word hacker. And what came out was, hey, bad folks who, you know, yeah, who end up, going ahead and, fooling people and doing this and doing that.

So that to me was a very big shock and surprise because I figured that unfortunately the mainstream, like media narrative of hackers is akin to bad people rather than folks who are curious around systems and how to break them and all of that. And even if you remember the very first hacker manifesto, that line is very beautiful.

Curiosity is my crime. So I felt, that I wanted to do something where we could try to change the at least for young folks. And that is really where I said, what better way than a hacker comic, right? Yeah, all of us as we grow up we go through this phase where we read comics.

We love superheroes I don't know if it's a phase some of us don't go out of it Yeah, I mean I have not you know I still buy all the superhero comics and you know can't wait for some of the marvel movies And that is really where I said, why not we go ahead and create a hacker vigilante comic book series Yeah, but with the key difference that this is a very realistic portrayal Of the attack Yeah, rather than a matrix style or swordfish style, right?

You know where you know, Neo just waves his hand and you know All the systems give way. Yeah. So what I did was I hired a creative team I can't draw to save my life But I went ahead, you know wrote everything out and that's when we launched the comic and I think it's been received Very well, people come to us and give us great compliments.

Elliot: Very cool I will applaud you there that and I say that carefully because I Neil and I are very careful about being vendor neutral, but having that kind of elevation is super important because if this is new technology and a new approach, being able to communicate how it works and like the role is important because as you can see, walking around RSA, it is it's not so much zero justice here.

There's a little bit AI, but it is just buzzwords and word vomit, and there's no value in information. But if you can tell a story in a way that's engaging and interesting and exciting. Entertaining. It makes sense. I will applaud you there obviously outside of the technology and all that.

I will leave that for someone else to evaluate. But, yeah, that is very cool. I appreciate that approach.

Vivek Ramachandran: Yeah, thank you so much. We appreciate it as well and, especially coming from you. I think you're absolutely right. What we, in my previous companies as well, what I figured out is, if you can help educate users, If you can impart knowledge which they can take away from your booth and go out and basically say, you know what, I learned something new, they will come back to you because then they start to view you as a thought leader, as somebody who's elevating their own understanding about a space.

And I think that's what we've always done. I think people are intelligent enough that if you give them the right information, they can make their own decisions. And all the marketing jargon never really helps and everyone tries to run away from that.

Elliot: Yeah, I and I love that you call that out because that is one of the reasons we created this podcast is Again, not this year, but every booth for years had zero trust on it.

And it was just different flavors different definitions and it's really simple. There's Sisa. There's NIST John Kindervog, Chase Cunningham. They have You proper vendor neutral approach. Maybe not Chase, but I only like to terrorize him because he is the reason why all those stickers were on the booth.

But yeah, that, that's exactly right. I think cybersecurity practitioners, they don't want to get sold into. Maybe startups and less mature organizations, that's fine because they don't know what they don't know, but if they've been in your shoes for as long, they know how to find whatever they need to find.

They'll do a quick Google search or, what not, and they'll find it.

Vivek Ramachandran: Absolutely. 100 percent agree with you. Today we are in a knowledge age where people like to do independent research and not just rely on what you've just heard, and I think that is for the better for the whole industry, right?

Yeah, because that way we know that, people are starting to build their own knowledge and understanding and which is going to make it more difficult for attackers in the long run.

Elliot: Excellent. We're close to time here, but I want to give you an opportunity to maybe Tell people where they can learn more about what you've built and how they can get their hands on it.

Vivek Ramachandran: So I think the best place would be sqrx. com, which is our website. And what we've really done is, and hopefully just people have found this content engaging, we write blog posts literally every week talking about different aspects of browser security, different attacks, case studies much of it in a product agnostic way.

So at the very least, when you come to our website and blogs, you will go out learning a lot about, state of the art attacks, defenses, browser security and whatnot. And of course, if you like what hey, then you can also try out our product, go ahead, sign up and we can sign you up for a free trial.

Elliot: I love that approach. It's definitely aligned with how I do things, which is why sometimes they pissed off people with my day job, but hey, that's how this works. So thank you so much, Vivek, for being here. I really appreciate your time and your expertise. We will definitely be bringing you back on for more conversations because we have not fully jumped into the island of enterprise browsers to the extent that we can.

And obviously you're dabbling between that and SASE and some other zero trust solutions. So thank you so much. Really appreciate you being on with us.

Vivek Ramachandran: Thank you so much as well. This was an amazingly interesting talk and looking forward to having similar conversations with You know, in other conferences and even online.

Thank you so much. Excellent. I

Elliot: know you're just being a little bit extra nice there, but I'll take it and we're going to print it. All right. Thank you.

Catch this episode on YouTube, Apple, Spotify, Amazon, or Google. You can read the show notes here.

Cybersecurity challenges come in many different flavors regardless of how old your company is or how many employees it houses. Larger companies have to deal with layers upon layers of technology, processes, and the people who support it. Smaller organizations are resource-constrained, often lack the experience or expertise to build a proper program, and typically rely on external support systems.

While larger companies may not be nimble, typically, they employ and understand the value of threat intelligence to hone in on risks that could impact the business. They also have larger targets on their back because they are seen as more valuable targets for data, financial drain, and other nefarious purposes. In the same, smaller organizations may not be as valuable as a direct target, but they can be seen as a doorway into these larger companies. It’s for these reasons that supply chain attacks, even older ones, are among the top threats targeting small businesses and startups.

This week on AZT, we examine the top five threats targeting startups and small businesses and chat with SonicWall’s Executive Director of Threat Research about the WHY behind them. As a researcher and educator through SANS, Doug McKee shares his perspective on why smaller shops need to consider threat intelligence as part of their cybersecurity program and how MSPs can help fulfill that capability.

Top 5 threats to SMBs (According to SonicWall)

• Log4j (2021) more than 43% of organizations were under attack

• Fortinet SSL VPN CVE-2018-13379 - 35% of orgs were under attack

• Heartbleed (2012) - 35% of organizations

• Atlassian CVE-2021- 26085 - 32 %

• Vmware CVE-2021 - 21975 - 28% of orgs

The Guest: Douglas McKee

Doug is an experienced information security professional who possesses extensive technical expertise acquired through involvement in application and system security testing, hardware and software vulnerability research, malware analysis, forensics, penetration testing, red team exercises, protocol analysis, application development, and risk mitigation activities. These technical proficiencies are complemented by adept leadership and communication skills, honed through the leadership of teams and projects, collaboration within both large and small teams, and the composition of technical reports for clients.

Doug is recognized for discovering numerous CVEs and regularly speaks at prominent security conferences such as Blackhat, DEFCON, RSA, Hardware.io, and Ekoparty. Additionally, Douglas's research is frequently featured in publications with a wide readership, including Wired, Politico, Bleeping Computer, Security Boulevard, Venture Beat, CSO, Politico Morning eHealth, Tech Republic, and Axios.

Key Takeaways

• None of these vulnerabilities in SonicWall’s research were found or disclosed between 2022-2024, and yet we’re still dealing with them

• Old vulnerabilities remain a significant threat

• The most widespread attacks for SMBs include Heartbleed and Log4j vulnerabilities

• Many widespread vulnerabilities are supply chain vulnerabilities

• These vulnerabilities are embedded in multiple products and systems

• Patching vulnerabilities can be complex and costly

• Compliance and regulatory standards can complicate the process

• Attackers are becoming increasingly nuanced in their approaches

The Persistent Threat of Old Vulnerabilities

Despite advancements in cybersecurity, old vulnerabilities continue to pose significant threats, especially to small businesses. McKee explains that some of the most widespread attacks include those utilizing decade-old vulnerabilities such as Heartbleed and Log4j.

McKee emphasized that many widespread vulnerabilities are essentially supply chain vulnerabilities embedded in multiple products and systems, making them difficult to locate and rectify.

"You can group log4j and Heartbleed," said McKee. “I think under the underlying root cause here is they're essentially supply chain vulnerabilities, right? These are underlying libraries. They don't exist in one singular product.”

On top of these being supply chain attacks, McKee highlighted the resource constraints that small businesses typically face increase risk. With fewer resources it’s easier to go longer stretches of time without identifying threats.

“Where is this vulnerability within my infrastructure? What products are using it? You can still come out and hear of someone that found out, Oh, log4j was using this application or this piece of hardware that we didn't know it was used in, six months ago,” said Mckee.

And to put a bow on the situation, what is old often becomes new again. In just our past episode, we chatted with OWASP and MITRE regarding emerging threats, and they reinforced that the most common attack vectors are rehashes from the past. As threat actors and even researchers perfect attacks and find new elements to take advantage of, they often find new life and new victims.

Outrunning Your Peers, a Small Biz Strategy

We’ve heard the concept of making your company so expensive to attack that it’s not worth the effort, and that is certainly one way to reduce risk. In other words, you can just run a bit faster than the next small shop. However, there is more to this story, as small businesses are seen as a trojan horse that allows threat actors to abuse the supply chain and get in with larger targets.

Small businesses can unintentionally serve as gateways for cyber attackers to access larger organizations. Due to their typically lower security measures and defenses, attackers see small businesses as easy targets. Once they successfully infiltrate these smaller businesses, they can misuse the established trust and business relationships to gain entry into larger, more secure companies.

For instance, a small business might have a trusted relationship with a larger company, which gives them certain privileges, such as access to certain parts of the larger company's network. Cyber attackers can exploit these privileges to bypass the larger company's security measures. This strategy is often referred to as a supply chain attack, as the attacker is targeting the larger company through its supply chain.

One prevention strategy for small businesses is to ensure they have robust cybersecurity measures in place. This not only protects their own data and systems but also makes them less attractive as a gateway for attacking larger businesses.

Another strategy for small businesses is to focus on outrunning their peers in terms of cybersecurity. This doesn't necessarily mean they need to have the most advanced security measures in place. Instead, it means implementing adequate defenses that make attacking their business more trouble than it's worth, causing cyber attackers to look elsewhere for easier targets. By maintaining a strong cybersecurity posture, small businesses can protect themselves while simultaneously safeguarding their business partners.

Show Transcript

This transcript was automatically created and is undoubtedly filled with typos. As usual, we blame the machines for any errors.

Elliot: Hello and welcome back to Adopting Zero Trust or AZT. I am your producer, Elliot Volkman, alongside your host, Mr. Neil Dennis. And today we are going to be looking at some fresh or some more recent research that will absolutely be impactful to any organization who either supports SMBs is an SMB or startup and maybe a little bit in between as well.

So before we really get into the meat of it and the information in that research, Douglas, maybe, or sorry, let's go with Doug a little more casual as is the nature of our, our series. Doug McKee is over at SonicWall and he is an executive director of threat research. Doug which, you know, if you're familiar with our show, Mr.

Neil Dennis has a little bit of background there which as you also know, he likes to pull us down a few different rabbit holes. So I suspect we will talk about research, but hopefully we'll get some other interesting conversations in the mix as well. With all that said, Doug, maybe you can give us a little bit of background about yourself, how you got into threat intel and threat research and then we'll dig into the actual research that you have for us today.

Doug Mckee: Yeah, absolutely. Thanks Elliot for inviting to be on the show. And it's great to be able to talk about research with you all here today. So I've, I've been in a cybersecurity space somewhere in the neighborhood of, of 15 years. I've been doing a little bit of everything. I've got a pretty broad background, Jack of all trades mostly in the offensive security space.

Did a lot of red teaming, pen testing, vulnerability research. I've done malware analysis, breach analysis, all that type of fun stuff and kind of settled in the the VR and exploitation space over the last several years. I'm also a lead author and instructor for SANS. I authored their security 568 class, which is combating supply chain attacks using product security testing.

So that's obviously a passion of mine as well. But yeah, that's, that's a little bit about me right now.

Elliot: Very cool. So I, I don't want to like ruin this and just list off here are these top five threats that are really impacting us and bees, but I do want to plant this seed before we can run into it, which I found was really interesting is today in 2024. There are these top five or so threats that y'all and your research has identified.

What really stood out is that these aren't things that have just appeared in the last year or two years. Some of them stretched back to 2021 or actually one of these stretched back to 2012. So it's a little concerning that threats from that far back are still some of the biggest risks and challenges that an organization has to consider.

As far as, you know, Securing your cyber security posture and whatnot. So maybe we can kind of jump into that. Can you give us a little bit of a high level of your findings and, you know, what we're about to discuss and some of the top threats currently targeting startups?

Doug Mckee: Yeah, absolutely. So the, the data comes from our, our IPS or internet for you. Wow. Prevention system, intrusion prevention systems. Can't talk today. Great for a podcast. So we get we get telemetry back from these devices, right? And they, they tell us a little bit about what attackers are attempting against SMBs and, and.

All types of businesses are, obviously all data has biases, right? So our, our customer base is where we're getting this data. And our customer base is very high percentage, somewhere in the 90th percentile, small businesses, right? That's why we've labeled it against small businesses for these threats. And what we're finding is that a large amount of the attacks that we're preventing through, through our signature database are, are really old attacks well, and so this data is from 2022 tilted.

Till the end of March today would be a slightly overstretched, right? And we're still seeing things like log for J being the majority of attempts attackers are using against against our organizations. We're still seeing things like heart bleed as well, which is the one that you mentioned all the way back from I think it's 2012 if I'm, if I'm not mistaken, right?

That. It's lingering around also attacks with Fortinet SSL VPN vulnerabilities from 2018 Atlassian makes the list with a 2021 vulnerability. And then VMware also makes the list in the top five also from 2021. So we can talk a lot and speculate about why this is being the case. If, if you want to move in that direction, but I think for the, for the most part there's something to do with, Time, and what these vulnerabilities are actually, actually in.

Elliot: Yeah, we are absolutely going to jump into that. And I would just want to throw in a couple additional numbers that y'all had sent our way, which is just to show the impact necessarily, but log 4j, you all see about 43 percent of organizations were under attack associated with that. For Fortinet SSL VPN issue.

And I will not read off the CVE 35 percent Heartbleed, 35 percent Elastian's CVE that you already discussed was 32 percent and VMware CVEs was 28%. So those are. Pretty big numbers. You know, obviously long for days. It's almost like half of your customers. I mean, not half, but you know, that, that is a large portion of people impact by that.

And Neil, I know has definitely had conversations about that. It basically hit everybody overnight, but if it happened years ago at this point, Maybe that is our jumping off point. Why are we still seeing that our organization's not prioritized solving it. They not feel like they have the solutions to solve against these issues.

Yeah. Let's let's pivot over towards that direction.

Doug Mckee: I think there's, you can actually group two of these. You can group log4j and Heartbleed and talk about them together to answer that question. I think under the underlying root cause here is they're essentially supply chain vulnerabilities, right? These are underlying libraries. They don't exist in one singular product.

And that means that vulnerability is literally all over the place. And one of the challenges with that, then for our organizations, especially small businesses who may be under resources, simply identification. Where is this vulnerability within my infrastructure? What products are using it? You can still come out and hear of someone that found out, Oh, log4j was using this application or this piece of hardware that we didn't know it was used in, six months ago.

And so that makes it a very valuable vulnerabilities for attackers to continue to leverage. On top of the fact that, and this kind of applies to all five of them, the more time that a vulnerability or a threat exists, the more research that can go into it, right? And so what happens is attackers and actually even the good guys, like researchers put more time into understanding how that attack can be perfected.

And when you combine that again with the supply chain space, It only takes one more application. They're more widespread. And attackers can get a real big bang for their buck there. So I think, at least talking about those two to kick it off with, that's a large portion of why you're seeing organizations being sprayed with those attacks.

Elliot: Interesting. So Neil, before I give you your host hat, maybe we pull that off and being the threat Intel guy. Do you feel like that perspective jazz with you? Does that make sense? Like these attacks are still evolving. We're finding out more information. What's your perspective on that? Silence.

Neal Dennis: the scope and scale of those. And since we're talking SMB to Doug's point, I guarantee I could go to town right now and look at, pretty much every small business here that has anything beyond just a payment system. And I'm going to find something.

I don't care who their MSSP is. I don't care who, how they've set up. One of these is going to show up if they have a tech debt reprise for it. But I think the other part of the problem is. When we first have these issues like log forage and the rest, we may not necessarily have the actual fix directly for that the day it comes out or the day we're made aware of it.

Most of the time we are, I think log forage before they published size that I think they had the initial fix and heartbly just came out of nowhere, disclosed, open before we had a fix. But that being said, the fix is sometimes AWS going, now we put something on the, on the Endpoint devices or, or further out maybe in the actual DMZ to say, Nope, we'll modify it and notify you if someone makes an effort, but you don't actually fix it.

You just put a stop gap and then you forget about it. And I think that's the other part of the issue is those stop gaps eventually disappear when you change service providers and you still have those exploits open in your solutions somewhere. So yeah obviously they're using them. They wouldn't keep putting them in their payloads if they weren't effective.

And then to the last point on Doug's side, The longer it's out, the more nuanced we can get with avoiding whatever those limitations are, even the patches to some extent, because once again, back to log forger, at least maybe not log forge, but some of the VM stuff. Some of those patches sometimes are, Hey, put this signature in our solution and you're good.

All right. We're going to evade that signature in a couple of weeks. Once we figure out what it actually is. Cause you're not fixing once again, the actual issue. You're just trying to put something in between it and the real issue. So a lot of vendors have lovely ways of doing that instead of fixing, right?

Yeah. I think it's a hundred percent.

Elliot: Okay, so

Doug Mckee: I think, as we continue to think about if you talk about MSSPs, changing and just companies switching out with their protections and not fixing the root cause. I think another thing we can talk about in that realm is just, patching struggles when it comes to compliance and regulatory organization.

I think that's another reason why these things are such a big win. So yeah, they're older vulnerabilities, but go to a healthcare provider and tell them that the only way to fix that vulnerability is to spend millions of dollars switching out device X. And all of a sudden the, their desire to do that drops incredibly.

And then of course you have things like HIPAA and all other kinds of regulations that have to re go through their process just to fix this vulnerability. So I also think it's important to give. To highlight the struggle of some, some in some sectors, like it's a really hard thing to accomplish and it's not always the end organization's fault, right?

They're at the mercy of some of these other vendors. And that also means again, that attackers are going to find success in using these things. I have a I used to do a lot of penetration testing for healthcare systems, which is why you end up, you end up hearing a lot of my side stories end up being in healthcare.

But it wasn't that many years ago that I was doing a test and I ran into a windows XP machine. This is long after windows XP was end of life, and when asking the question to the organization, why am I able to. Compromise this XP machine and own half your network. It was like we can't switch out that, hugely expensive piece of equipment because it affects our medical care and we, we don't, where does, where does it meet, medical care in that space?

So I just think that's like an initial layer on why do we still have these age old vulnerabilities? That are effective

Neal Dennis: Yeah. I think that's the other fun part. So back on the. IT, OT chain of things, and healthcare, ID, all the other fun stuff that goes in all that stuff. Availability versus uptime, IT wants to take stuff down so it stays up when it comes back, and OT world needs to stay up so they make money and nobody yells at them.

That's two counterintuitive process flows for people trying to secure a network. And you're right, stuff like this lives down in the weeds. And I'll say this, I guarantee everyone listening, No matter what tool you're using, whether it's what we're using to record today, or whether it's your Gmail or something, even smaller tool stack, I guarantee you there are vulnerabilities in it that that company is aware of, or they put mitigations in front of them to monitor for those because they don't have the right way to patch it, to make it go forward.

And I, whether it's enterprise tech stack or open source tech stack, those exist. It's what happens when they start pushing additional updates around that to maintain the monitoring when those doors start to open back again. And that, that's the fun part of the story, both as a product producer and provider, as well as a consumer.

They're there. They may tell you they're fixed, but what they really mean most of the time is now, we're just making sure nobody can take advantage of it while we figure out how to fix it. And then they forget about it a year later

Elliot: And we'll

Neal Dennis: floodgates are open again.

Elliot: we'll

Doug Mckee: because sometimes it comes down to a cost thing too, especially if we start talking about hardware devices, to remove a vulnerability could be a slight rearchitecture. Then how do you handle that rearchitecture if you're the vendor and then pushing an update for that? As you, as you said, they put some type of mitigating factor in place of it.

I saw one vulnerability not that long ago where the solution was it was unauthenticated. Now it's authenticated. And that was their solution, which yes, adds a layer of protection, but. Doesn't fix, doesn't fix the issue.

Neal Dennis: Yeah, that's always the fun one. We were Slight tangent, but the one that we just, the gentleman we just interviewed, he's a vulnerability risk management guy and patch Tuesdays, this and all that fun stuff. And same thing. Yeah, I think it's hilarious. Cause he said basically the same deal. Like it's still a vulnerability.

You just changed how we access it just a little bit to provide maybe a small monitoring aspect, but I can still get around it and take advantage of it. So thank you for not actually fixing the problem. So I'm, I am curious if Ellie wants me to be curious at the moment

Elliot: I'm not going to hold you back. Come on now.

Neal Dennis: no,

Elliot: the research. Now it's free range.

Neal Dennis: I, some of the questions and asks that you had in here, some of the things in the list that you're happy to speak to him. I am, I got some curiosity questions around, but when we think about y'all as a tech sack and what y'all are doing, what you do to look at this data what's some of the key things, like what's some of the.

The ways that you've approached this data stack to come up with your findings would be a good question. I'm an Intel guy, so I like to understand people's actual methodologies. And it's politely spelled out in here that you would do that with us, so I'm very curious about your methodology. No, what's your approach and what's your intent, from your overall methodology for that type, for this research?

Doug Mckee: So we obviously we get tons of data back from all of our, all of our products and all of our sensors. And, and oftentimes it's, I run the I run the IPS content team. We, we produce signatures on a daily basis for, for all these threats that, that we're talking about. And we're constantly rinsing, repeating and saying like, how do we make our signatures better?

Like what, what, or what should we be focusing on for, for small businesses specifically. And so when I'm reviewing the telemetry data oftentimes we look at what are the signatures with the highest hits, like what is, what is people getting slammed with today? How can we make those signatures more generic?

And I, I simply just took a step back and was like, all right let's look at how, what widespread these attacks are instead. Because if I want to focus on something to improve, improve signature base, I want to help as many people as possible. I don't want to just help one organization, whether it's one small customer or one big customer, I want to try to help all of them.

So the methodology was here to just start tweaking the way we, we approach it and say, what's affecting most of our organizations. It's. And so that's how we got to, Oh, these are the top five most widespread attacks. And what's interesting too, is there's like a huge cliff. So the reason I published the top five is I think after we get off of here, we go from 28 percent down to like single digits, as far as not, not, not again, not quantity of attacks, but widespread attacks. And in fact, there's some, there's some vulnerabilities out there that have a much higher quantity attack today, but they're only hitting a few organizations. They're more targeted. And so it's what is, what is affecting most of our customers?

And that's where this, this came from. That was the backend methodology is how can we improve what we're looking at from widespread? And what's it's, it's really interesting to look at that. These are the, the older ones. And so I think some of the methodologies going forward is anything like supply chain related is going to get a lot more attention to, because it's being hit a wider group of, of people, things we can speculate on.

Why is Fortinet, Elastian and VMware on the top of the list? Looking at this data and it goes completely speculatory, but some things to think about is Fortnite's an edge edge device, right? Attackers get a hold of one of the largest vendors. Cisco is obviously in that ballpark as well.

But if you get a hold of edge devices, that's game over for a lot of attackers because internal defenses versus external offenses. They don't have to fish, right? You've got that. Got that as a possibility. VMware infrastructure, kind of like Fortinet cloud computing, a lot of VMware infrastructure there.

So again, the overall theme being biggest bang for your buck type thing from attackers. And then I think Atlassian is the most interest one, interesting one personally. And that, and that has to do with, in my opinion, stealing data. Probably one of the largest providers for things like, wiki and project management and task in those, those areas.

What can we either ransom back to you or what can we sell on the black market? Or what can we use to pivot a lot of that stuff's posted in those technologies. So it's a long winded answer, but I think ultimately trying to protect as many people as possible.

Neal Dennis: Oh, I think that's cool. It makes sense. So I've got a slight stub question on Atlassian stuff. Or at least an anecdote from my side that might turn into a question. The

Elliot: the reason I'm

Neal Dennis: one of the supply chain risks that I saw play out a while back, someone just like with GitHub, they were trying to get access to someone's JIRA setup so they could change

Elliot: a right

Neal Dennis: code base and sprints as it was being shared directly in Atlassian and Confluence pages.

Wow. So they were trying to get in so they could corrupt like with solar wind style, corrupt the source code or some part of the code as the engineering team was doing their thing. But my curiosity question is, so you mentioned, ransomware and extortion, stuff like that. So as y'all are doing this research, are you, are you able to, or are you intending to look at who the threat actors are that are going forward with this to see what those exploit packages might lead to as well?

Is that part of that, that overall effort?

Doug Mckee: So there's, We gathered David differently for, for different products. So in this specific effort, the reason, I'm, I'm specific about network attacks, and widespread is I'm specifically looking at like IPS network traffic data. As far as attribution and, and who Where are these attacks are coming from?

A lot of that comes from actually some of our sandboxing technology where we can actually deeply analyze a lot of the malware that we get that come through that come through the firewall boxes. So that's a different area and they don't always necessarily match up 1 to 1 as I'm sure. I'm sure you understand.

I guess the short answer is yes, we're doing that. But. we have yet to be able to dive into it with this specific information as far as where the log for J attacks currently coming from. I don't have that information

Neal Dennis: it's all good. No, no, it's just a curiosity question. Like I said, as an Intel analyst, act as a government trade Intel analyst, I should say, because there's a difference in the scheme of things. You've got two sides of the fence. The one where attribution is king and one where who gives a pants. Let's just continue to block stuff.

And so that's why I asked the question, maybe over a different colon of beer, I'll ask you where you sit on that fence. So I can either agree or, or tell you you're very, very wrong. So that, no, that, that's still, that's good insights. I think from an iteration though, knowing that y'all as a company, one, you're looking at the threats, be y'all have a larger teaming capability that will, attempt to look at to some layer of attribution or some layer of intent.

Thinking down a little bit more on this want to get back on the MSP side of the house a little bit, because from a supply chain perspective as a whole, obviously SMBs, I don't remember what the latest numbers are, because it always goes back and forth every couple of years.

One year, we're looking at three quarters of the SMBs are all using an MSP of some sort, and then you flip it around and suddenly they all want to go spend a million dollars to start their own thing. And now we're down to 60 percent or something. I don't know. But from an MSP engagement perspective, what, what's some of the insights or ideas to maybe push your MSP to help you do these things or maintain this or better yet secondary question, if you decide to change a service provider.

What are some of the things you might suggest to carry forward with that around these types of supply chain risks and concerns that they might need to take with them?

Doug Mckee: So I think there's, there's multiple ways in which MSPs can, can help with the, with, with this issue. I think that boils down to two main things. I think we can talk about resource constraints and we can talk about complexity, right?

So we've talked about startups briefly earlier in the conversation, and you can have these startups that are like. One day there's three to 10 people. And all of a sudden, like two to three weeks later, they're, they're a hundred or even more, a larger startup because they're all of a sudden they're being successful, their product selling, et cetera, et cetera.

And they move from this, this category of trying to work out of their, their Ma's garage and to, to something where they, Oh, we actually need like security, like we need to think about these things and it's really easy to all of a sudden get this like concept of shadow it. I'm sure that's a term you guys have heard before and you don't know, What you don't know.

And so MSPs coming back to the question here, MSPs can come in and really help provide the resources required to understand the complexity of your network, where you may have deficiencies, and then make suggestions without the need for hiring a dedicated security team. Training them up, spinning them up on a regular basis.

So I think that's definitely one where they can help automated patching. A lot of MSPs have that down to the science because they do that for a large customer base and they can probably implement something or they can implement something for you a lot quicker than if you were able to, again, try to try to do this yourself.

Yeah. I think there's a couple of things we can talk about. If I was interviewing an MSP, for example, or trying to figure out if I want to switch or not. And, and one thing I would consider is. What is that MSP doing specifically for your organization? That's not necessarily cookie cutter for every organization, right?

Are they taking the time to realize that, if, if let's say you're in a different industry let's say that you're in finance, are they applying the same rules that they're applying to the medical industry? Are they applying the same rules that they're applying to the tech industry and their methodologies and the way they approach things?

Cause at the end of the day, what production comes down to often is prioritization. And you have to have a intake of threat intelligence for where you're sitting at in the organization, like the list that we're talking about here, the top five, most widespread attacks, not to everybody in the world, but to small businesses, that's going to exist differently when you're trying to protect, not that you would do this, but if.

For Microsoft, right? If you were, if Microsoft was interviewing MSPs and I, as I said, not that they would do that, but that's going to be very different than if it's, some small company that only has 200 people and is in a completely different industry. So I think how, how you go about prioritization and customization when it comes to threat intelligence, which is driving how you act.

Do you have threat intelligence or what, what is your threat intelligence intake? And how is it related to, to, again, my organization, are you an MSP that specializes in preventing windows attacks? And I'm an Apple shop, right? What experience do you have in Apple? So it seems simple, but those are the things that are really going to matter further down the road.

And I'll give, I'll give you one more, and this is, this is. This can fall in or outside the MSP space. You could sometimes consider more consulting if you will, do you have the expertise on your staff to do things, to leverage skills like product security testing? Because when we talk about threats like log4j and heart bleed, and we, we already mentioned the hardest, Problem is identification, right?

How do I know if I have it? The best way to know that you have it is someone that can break down the products in your company and tell you what is being used from a library perspective. And that comes from techniques like product security testing. So if those are, that's an advanced question to ask MSP, do you offer those types of services or can you help me with that?

So I don't have to be trying to do it on my own.

No, of course

it's a very rude world. Yeah.

I also think in that line of thinking, it's also important to realize that Attackers don't only go after the Microsoft's right. They go after the cog makers because often using your terminology, oftentimes, because they know that they don't have the resources necessarily. And if they get the cog makers, then they can maybe get into Hyundai or the next level up because you might be doing business with them.

And they're, Yeah. Sometimes that means that you're actually more of a target because you can be used as a Trojan horse other places. If we look at like breaches, like the Home Depot breach back in the day, or the casino that was hacked in 2017 by the internet connected fish tank, right?

Just because you're not the, the one, the big fish in the market, no pun intended, like you may, you may actually be the vehicle that's being used. So absolutely you need to leverage as many resources as you can. I like to joke all the time. Attackers are lazy. They're no different than me and you, right?

They don't want to do the hard, hard way. And I think that's ultimately what with these widespread attacks. They don't want to, find a custom zero day or, or leverage something like ridiculously windows vulnerability that requires, ROP chains and exploit mitigations and the pipe bypass CFG and all that fun stuff.

They want to run a script. that runs log4j that gets you into their network, or they want to send a fish. So they're going to find the avenues that, that, that works for them. Especially if, we see these numbers, if again, there's 43 percent of organizations are being hit by log4j.

You have to argue that attackers must be having success with it at a pretty large rate.

Also sometimes depending on who you are, if it doesn't work, they'll move on to a different target. Like sometimes you just have to be able to run faster than the guy behind you. Think it's worth highlighting that too, that there's such a huge value in making sure that you're protected against, like it's worth time and investment because the ones that these are working with are going to be the victims.

Yeah.

I think something that's actually not written here that is also interesting on the same vein is after back in October. The predictions are a big thing in cybersecurity, right? They're like, Hey, what, what's, what's going to happen in 2024. And I just started to look at some of this data. I didn't have it all pulled together yet.

And I noticed that there was a trend with log for J specifically. And the trend was that it was upward facing. Like we were seeing, starting to see more and more attacks on log4j. And so I had made the prediction that, in 2024, it's going to continue to go up now. Obviously we haven't seen all of 2024 yet, but so far, when I looked at this in March to, to start putting together, okay, last two years, what, what are we seeing?

It was higher than it was in October. So I think. To your point, we need to change the direction a little bit, right? And how do we do that is we have to bring awareness to what the issues are. So that way we can force them to take a step back and, and come up with a new tactic.

Yeah, I think it's a really hard problem, right? Like at the end of the day, like, how do you know what to ignore and how do you know what to listen to? The concept of prioritization is key, especially for CISOs, right? Like it's, it's their job to basically say, this is the risk that's most important for us to tackle.

This is the risk we're going to accept. That's a whole nother conversation we can talk about later about risk acceptance. So how, how do we approach this as. As businesses. And I think, or at least as small businesses, one of the first thing I would say is my, my prioritization for small businesses is you can't know what to protect against if you don't know what you have.

Period. End of discussion. So if you don't have a good understanding of what's on your network, like in, in where it's being used and all that fun stuff, then it doesn't matter what the headlines are because you don't know how to properly implement the protections because you don't know what to ignore and you don't know what to listen to.

So to me, that's the first big piece of the puzzle where I think a lot of. S and B's get caught up in the what was the headline I saw the other day? Quantum computing is going to make RSA obsolete or something to that effect. Yeah, let that be tomorrow's problem, right? Today's problem is, and what we're showing here with this little bit of research is you need to sure up the old stuff first, which means I have to know if the old stuff exists on my network.

A silly answer to your question is where do I get my prioritization from, from my, from myself in internally, right? I need to get my prioritization from my if you will, my internal S S bomb. What, what are, what am I using? And then on, on top of that, then you want to take into, there's tons of factors that can go into prioritization once you have that.

But I would argue you want to stick with first, what is your mission critical functions? Those need to be prioritized as far as protection goes, not suggesting that. Yes, I know we can sit here and say that it doesn't have to be mission critical and attackers can get into your network using it, and then they can compromise other things, again, different discussion.

But if I'm talking about prioritization, I want to make sure that I'm sharing up my mission, critical stuff first, because they affect my bottom line. And also having the mentality of not, if I'm going to get compromised. When I get compromised. And thinking that I'm already compromised. Like if, if, if we can shift the mindset to that and not have a organization saying, Oh, I've got production X, Y, Z.

So they're not going to get me. That's a very old or antiquated methodology. So when you're talking about prioritization, prioritize what you have. Prioritize how you're thinking about your security. In other words, saying, think, consider yourself already compromised. Did I protect my mission critical assets or make it extremely difficult for those to be the ones that have given access to and then leverage threat intelligence and different tools that are able to provide you stuff specific for your industry.

Absolutely. And, and in my, in the SANS class that, that I teach, we, we use this phrase called think red, act blue, and it talks about this methodology of, we have to always be thinking about from an attacker's mindset. And then what separates us apart is, what we do with that action.

So to your point, whether it's an intern, or whether you can hire an MSP or an MSSP to, to help you with bringing in that mindset, like that's, that's what you need to, Prioritize when we're talking about of a protection standpoint, because if you don't know, you don't know.

Absolutely. I'm always, always happy to pitch pitch the SANS class. I obviously I'm biased. I think it's a fantastic class. It's security five 68. So that's combating supply, combating supply chain attacks using product security, testing, and security. Two things we talked about today on the podcast, right?

Product security testing and supply chain attacks. And it's very fundamental in the concept of knowing what you have, but not just knowing what you have and trusting what the vendor provides you. But we, we do two things in that class. One, we provide you a repeatable methodology, step by step process on how to do that product security testing.

I challenge you to go Google product security testing and find something like that, that didn't come from my class. Right there. Before we wrote this class last year, there's no one could tell you how to do product security testing. We actually have a free poster. You can go download if you, if you Google San security five 68 and you do Google poster, it'll come right up and you can grab the methodology poster that we provide in that class.

And again, it's going to show you the repeatable methodology on, on how to do product security testing. Of course, It's a, it's a five day class. So we dive into that pretty extensively during the class more than you're going to get on the poster. But I think that really is key is in understanding what you what you have on your network.

One of my favorite things we do is we even talk about how to break down proprietary protocols. When you were mentioning, medical industry, financial industry, OT earlier. Again, you don't know what you don't know when you've got these network packets going across your network and you have no idea how to parse them.

How do you protect yourself? You figure out what they're doing. And so that's one of the things that we talk about on a deeper technical level in that class.

Yeah, absolutely.

Yeah, absolutely. Our, our everyday focus is, is SMBs and and we have an MSP service that we offer to a recent acquisition solution, granite, and if, if you, if you're looking for an MSP to help you with this highly, we are specializing in small businesses and so we're looking at the threats on, on a regular basis to, to that industry and providing that intelligence and then leveraging that through through our MSP.

Highly definitely. Specialized for that area.

Absolutely. I, so someone's got to pick up the phone, right?

I thank you so much for having us. It was great to have a chat with y'all for a little while and happy to do it again. Anytime.

Elliot: That

was weird. Yeah, we are. It's all right. Magic editing and whatnot.

Yeah, sorry.

Welcome, welcome, welcome.

So we're going to take a look at the the the the the the You

And then I have a copy of the document.

I'd like to introduce the president of the United States, and our great friend, the President of the United States.

Okay.

We're going to go ahead and get started.

I'm going to go through the code for this one, and then I'm going to give you the code

Here, on the left is the The same thing that you would see on the web page.

And and I would say that we we have we're we're You

I don't know if I've ever asked for it. I'll just say,

What are you talking about? No. I got nothing.

I do so little work talking is the worst. So I much rather do what I do. I, I do have a question though. It might tee off a conversation that I've got going on at RSA with OWASP and MITRE. So this will be a good jumping off point, or it might be follow up, whichever order we publishes. This research focuses on SMBs and startups.

I'm curious since these are like the top five. How would an organization, a startup or an SMB be able to identify if these are things that they should prioritize. If you look at, whatever articles that you read, the headlines, This ransomware is hitting us. These phishing attacks are hitting us.

How do you differentiate between all of the things that you see spread everywhere, a little bit of excess media hype versus what an organization of a certain size in a certain industry should do. And this also blends right back over to threat intelligence. Figured I'd throw that one out there.

Okay. very much.

Okay. very much.

Yeah. Depending on the time of day, a tornado will be possible. In the worst cases, it's possible for a tornado to pass by you. The tornadoes can't pass by you. The tornadoes can pass by you. And there's a high chance you'll be hit by a tornado. If you have a tornado, you're going to be hit by a tornado. And if you're hit by a tornado, you're going to be hit by a tornado.

So you should be careful. And your safety is guaranteed. I'll see you next time.

Okay. Okay. Okay. Okay.

Yeah. Okay.

Okay.

Let's take it out for clarification. This was not a paid advertisement. Neil is just very nice. So just, just putting that out there. Otherwise we're generally vendor neutral and how that all works. But Doug, thank you so much for being here, sharing your expertise and your insight and that research with us.

I think anywhere that we can help elevate information and identify areas of prioritization, even though as you, Clearly stated that information needs to come from within. I think it's super important for us to be able to do that. So Neil and I are always very happy to identify that kind of research, build a platform, and that is essentially what we've done outside of just rambling and terrorizing other marketing people.

That that's what we're here for. So Doug, thank you so much for coming on and sharing that expertise. We really appreciate it.

Neal Dennis: Can you hear me? I can't. Elliot needs to refresh.

Oh, there he goes. That's funny. Talking about mom and pops. Then there goes Riverside. They heard us talking about them. They didn't like it. That's all good. Yeah. Oh yeah. We got you. And I think we're still recording.

Yeah. Lost you somewhere around mom and pop.

So I think as we, as we dive down into the MSP bucket here, a few I, I've definitely lived the startup life going from five person to more a couple of times now, and you go from having nothing on your box managed wise to all of a sudden you wake up the next day and there's automatic reboots and updates on what would we do here?

But patch management. So back on that. So if we think about MSPs as the variations of service, some of them have after hours, 24, seven, whatever, sock rolls, whatever. But I think that's a really good niche thought that people don't take into account is you can hire an MSP to be your IT administrator.

They don't have to necessarily be your security from the SOC perspective, if that's not what you're looking for. But you can hire someone to bring that wealth of experience to help you with the patch management exclusively or in the vulnerability management aspects. And, there's definitely some companies out there that that's what they specialize in is, Hey, let us come in once a month and break everybody's stuff for you and they'll be mad at us and not you.

Or every two days when Chrome decides to update and you have to refresh all your fricking tabs. Thinking on that, what, do you have any thoughts on, on like maybe transitioning? Let's say if you're questioning your service providers on what they've done, are there any things related to these vulnerabilities or, or constructs around vulnerability management that someone should ask their current provider.

So when they go to a new provider, or if they're appealing back away from the provider, other than just, I know my obligatory question is how the heck did you do that? And thank you. But, but do you think there's any additional insights around transition period and all that other fun stuff to.

Maybe have a list like this to go, Hey, what did you do? And is this still relevant today? Or do I need to take some other mitigations moving forward?

And I want to be clear. The reason why I keep harassing you about various weird things like this is because as someone who focuses on SMBs, obviously like you're doing, a lot of people have questions like this around these type things. So it's good to get perspective on what they should be thinking to ask and how they should be managing.

On that same vein, back on SMB slash supply chain a little bit more, you hinted at, bill of materials a little bit and having someone that may help you discover that. So I want to iterate on the bill of materials piece a little bit and the S bombs and all the other stuff that we have to put up with the fan who we're servicing, but.

As, as good as it is to obviously have self discovery and you need that, that is a exceedingly needed skillset to be able to have, whether you pay for it extra, or you have it intrinsic to your, your security team. And then the other part of that is back on the S bomb side of the house, depending on how big of a company you are and what you're doing to support what your company is doing back on healthcare versus finance, versus someone who's just.

Cogs for a car that nobody cares about. If you're an SMB supporting a very large provider somewhere, or if you're a cog in a much larger supply chain for a big, big entity, and one or two echelons down, I think the other thing people could think of is soliciting who it is that they're providing resources for.

So if I'm making a cog for Honda, Honda or Hyundai, Hyundai, one of the H whatever's. Or Ford versus making a cog for someone who's just trying to make a new EV in their garage. And that's it. I might be able to go to Honda and be like, Hey, I'm one of your primary suppliers. Help me figure out what's going on in my system or help me figure out, what's critical for me to keep you going and then use that from a priorities perspective.

So I think SMBs, we focus a lot on them because they have their own buckets of problems. And I think an SMB as well should also think of trying to solicit who it is up chain from them that has the billions of dollars to maybe help them maintain some kind of awareness and what they should focus on. And then maybe take that back to someone like you and whoever else as well and say, Hey, from a supply chain perspective or from a product perspective, here are the things that we actually care about.

It's a weird world. It's a different set of rules. Back to your point, Microsoft versus the cog maker. Microsoft is going to get whatever the heck they ask for. And they're going to be able to,

yeah, yeah, yeah, that's exactly it. We're not going to spend time burning cycles against stuff when we have a finite, as a threat actor, finite span to be able to take advantage of something before whatever it is we're soliciting with, reconning, reckon ordering with, gets popped and turned away. So yeah, you're going to throw everything that you've seen work currently and then come back a few days later if none of that worked and try something new until you do find something.

But yeah, if log forge is still in the in the exploit paths, it's definitely getting someone somewhere. Otherwise it'd be a waste of time.

Yeah.

And this kind of comes back to a little bit of a nuance on SMBs and supply chain for me and stand up slightly on a soapbox for a few seconds. But if you're in an SMB world, once again, you have a community and this, this is things I think people also need to realize you talk about, outrun the guy behind you a hundred percent.

Please, but at the same vein, if you're seeing these things as a consumer, and so this is where your research to me is valuable because you're doing some of this because they obviously can't in that sense. So as a SMB, as a Intel provider, or at least an Intel consumer, someone who has the ability to understand what my footprint looks like from a threat perspective, or what's hitting me at least a little bit, I should be able to take that info back to my peer groups and harden my peer groups.

Even more. So then once again, as a group, we're less likely to get targeted in the future by those, those, whatever they may be, and then bring that data forward. And so when you create something like this research wise, it's to your point, it's what's the biggest impact across the most people that you can think of and, and, and look for.

And that's what this is. This is taking your data set, your understanding and letting SMBs as a whole know, Hey, look guys, SMB in general. Here's the things you've got to worry about because they know that y'all are softer targets. So take care of these big things, make sure they're good to go. And then let's move on to what the next, flavor of the day is.

And we'll keep the ball ball rolling for and I, I think that's a very important aspect that some people miss in the threat space, when we talk about public disclose, disclosures and things like that, and there's pros and cons on either side of the fence. So you putting out a product like this, that says, here's the top five threats.

It's probably going to make some threat actor stop using it. But that's a good thing in the grand scheme of stuff, because that means, they're, they know that they're being caught with this stuff. They know they need to shift away from it, especially if they want to come after a particular customer base.

The downside is they're going to shift and come after new things, but it takes some time to retool and it takes some time to come back for it. And that's why Intel is a repetitive cycle and we rinse, lather, repeat. And then, nine months, you're going to write the next top five threats for SMBs.

And hopefully it'll be a little different and that that's a good win ROI wise. So yeah.

Oh, yeah, I know you wanted to say something at the you know a few times here before we wrap up giving time permissions But I want to be mindful that all so he sits here and he goes you hear his intro, right? He's hey, i'm i'm the whatever producer black back in person, whatever elliot And then here's your host neil and I have to remind him that he does all the work He's not just a producer he does yeah, I think it's very well said I know who you are and know what you are and know what the heck screwed up as best as you can. And just one last piece you, you said it earlier, you need a resource to, to drive into what's, what's actually there. What's actually going on. You need to have someone somewhere on a team somehow that understands how to be, red team to some extent.

And. You yourself obviously haven't come from that back end, know that better than most, I hope. And then red team, your stuff, even if it's some intern from a university that has, pays and works for coffee, let them come in and try to break your crap better than than someone else.

And so I know we're coming up on time, but I got two last questions. One, I would like, since you're doing sand stuff I'm all for you personally pitching your sands course, if you're up for it and what the number is, and then for our listeners. Throw it back over to Doug to let you know where to go get some fun stuff here from the sand side of the house.

Yeah, just don't try to push a packet back out until you know what it's doing first. I, yeah, I used to work OT side of the house and proprietary, pick a flavor of the day, bus this, mod bus, propy bus, all the other fun buses. I may or may not have learned that one. And then last but not least before I let Elliot closes out real fast, SonicWall, I just want to iterate on that where, where you're coming from the research that y'all produce in effect, like right off the bat, you talked about how, as a, as a company that a large percentage of your client base is SMB focused.

And I just want to iterate on that for everybody listening that if you're looking for SMB support and stuff, there are companies like SonicWall out there that do have a focus of the day that does help y'all more than someone like Microsoft.

Reach out to Doug. Doug likes to play sales rep. I'm kidding. Yeah.

Oh, Ellie, I'm good, bud. I'm done. I just wanted to get a good point for Sans.

Catch this episode on YouTube, Apple, Spotify, Amazon, or Google. You can read the show notes here.

Every few weeks, and occasionally every few days, we hear report of a new novel technique or zero day. Those headlines often create an unnecessary level of fear for organizations, but battle-worn cybersecurity professionals know just because it’s on a headline doesn’t necessarily mean it will impact their environment. That is because emerging threats are just that, new and novel. While zero day threats can be interesting and something to be aware of, most threat actors stick to tried and true methods.

But how do we identify what is most impactful to our security posture, attack surface, or insert your other buzzy term? Threat intelligence and the collective defense. And for that, it’s time to introduce our two very equipped guests to navigate this conversation and our guest moderator:

This week on AZT, we have representatives from OWASP and MITRE, with Dr Zero Trust leading the charge.

The Guests

Special Guest Moderator

**Dr. Chase Cunningham - Dr. Zero Trust and Vice President of Security Market Research for G2**

**Avi Douglen - Chair of the Global Board of Directors for the OWASP Foundation and Founder and CEO of Bounce Security.**

Avi is a security architect and software developer, leading development teams in building secure products for over 20 years. As a systems developer and security consultant, over the years Avi has amassed much technical knowledge and understanding of the enterprise security needs at the business level. Avi currently serves on the OWASP Global Board of Directors, and leads the Israel chapter. He is the founder and leader of the the popular AppSecIL security conference, the OWASP Threat Modeling Project, and co-authored the Threat Modeling Manifesto. He is a community moderator on Security StackExchange, and a frequent speaker at industry conferences, recent ones can be seen here.

**Stanley Barr - Senior Principcal Cyber Researcher for MITRE**

Dr. Stanley Barr is a three time graduate of University of Massachusetts Lowell. He has a BS in Information Sciences, an MS in Mathematics, and a PhD in Computer Science. He has coauthored published papers in malware analysis, barrier coverage problems, expert systems for network security, and robotic manufacturing. He has spoken at MILCOM, RSA, Bsides Boston, and Defcon. He has been a panelist for conferences. Panels topics have included fighting through real world computer network attacks from both external and internal threats. Currently, he is a Senior Principal Scientist at The MITRE Corporation, a not-for-profit corporation that manages six federally funded research and development centers (FFRDCs).

Key Takeaways

• Emerging threats are interesting, but threat modeling and understanding how systems work to identify potential issues is more impactful

• AI can pose a threat due to its ability to remember and tailor information, as well as its scalability.

• The panel emphasized that basic security hygiene is often overlooked, such as enabling 2FA on all accounts.

• The OWASP Top 10 most common attack vectors are still a significant concern, but they should not be the only focus.

• The panel argued that responsibility for security breaches should extend beyond the CISO to the entire board and engineering organization.

• Cybersecurity is a people-centric challenge, and relying on people not to make mistakes is not a sustainable strategy.

• There is value in investing in proper security measures, as it can save organizations money in the long run.

Editor’s Note

Interested in learning more about Zero Trust directly? We’ve partnered with the Zero Trust Meet & Expo taking place on August 26-27 in Stamford, CT, where you’ll find several of our past speakers presenting. Take a look at the lineup here, and use the promo code AZT@ZTM24 to get $450 off the early bird rate. This is not a sponsored announcement, but we’re always happy to support the community and experts who will be speaking.

It’s Not Zero Day Threats You Need to Watch Out For

It’s not zero days that you need to worry about. For decades, social engineering and phishing remain the top threat vector. Why? It’s a heated debate, but there is no denying that the most effective cybersecurity threat, both due to impact and financial drain, is successful because abuses human psychology rather than just technology alone. Yes, we’re talking about good ole social engineering and phishing attacks.

On top of the basics, organizations like OWASP have identified common threat vectors, MITRE has their own take on TTPs with MITRE ATT&CK, and then there is the data lives within your own environment to bring it all home.

“We don't need to be chasing zero days, that's not we're going to get hacked,” said Avi Douglen, Chair of the Global Board of Directors for the OWASP Foundation and Founder and CEO of Bounce Security. “Injection has been in one form or another on the OWASP Top 10 since the very first version. For example threats like “SQL Injection and other versions of injection. It's trusting untrusted input to a trusted parser in an unfiltered way. It's still the same thing with a different model.”

Based on Avi’s perspective, this begs the question: how should organizations use these resources and prioritize their time? Cunningham has a very simple and direct answer.

“You have a space where the bad guys literally tell you what they're going to do and people wonder how do we stop it? You stop it where they say they're going to do the thing they're going to do. It's not rocket surgery. It can get complex, but if you make simple things hard, it's hard. This is the basics, the blocking and tackling the right way to approach the problem. It just makes a difference,” said Cunningham.

AI Threats or Repackaged Threats?

If AI prompt injections are the primary concern today, and we have seen similar issues with SQL and other platforms in the past, what do organizations need to be aware of today? Re-use of TTPs is certainly at the top, but there are actually emerging threats that are originating from the increasing availability of new technology that has yet to be placed between necessary guardrails.

First, imagine a threat actor that can remember every detail about you and your life and use it against you. Now, do that in a rapid fashion and with platforms that we willingly feed that data to.

“AI is problematic because it has a good recall. Anything that you put into the, anything you tell a stranger now, they can remember for a long period of time, right? So there's that recall, there's a tailoring,” said Barr.

While there are certainly concerns about phishing threat actors using things like GPT to create more conversational and realistic email lures, it’s not the lack of broken English you need to look out for.

“Once it starts learning what you want from all the interactions you give it, it can tailor that, it can be big, it can scale, it can be one person or 100 people or 20 people, it can operate 24/7, AI can then say, pressure release maintainers into giving up the maintenance of a repo to give someone else a chance bad things happen, I think these are the sort of things we have to worry about with AI,” said Barr.

For security teams, the question is less about users getting on the receiving end of these, but how can you reduce or prevent models from getting this data and scaling their efforts. To solve this, it means putting in policies about what information can be shared with LLMs, removing any potential proprietary details, and being intentional in general through the lens of privacy.

The Top 10 is Not the Top 10

Beyond AI, one of the more interesting elements to come from the conversation was Douglen’s reinforcement about what the OWASP Top 10 is and isn’t. Much like the vendors who abuse MITRE frameworks in their solutions rather than educating less mature teams about evaluating what is in their environment, the same goes for the Top 10.

“A lot of organizations follow the Top 10 and they have compliance with the Top 10 - and there's a huge amount, almost all the vendors have built their tools around the Top 10 - scan for the Top 10, building out compliance with the Top 10. The Top 10 is not a standard, it's an awareness document. It's basically, hey guys, security is important, here's a bunch of different things. If you're worried about the Top 10, I see this shirt all the time. I got popped by the OWASP Top 11 and the Top 25 and the 103. It doesn't matter. The Top 10 is just because they're easy to understand categories, right?”

While the Top 10 is widely accepted and used, its purpose is to alert people that security is a significant concern and highlight some common issues.

Douglen cautions against over-reliance on the Top 10. Just because a system is compliant doesn't mean it is entirely secure. Understanding the actual system is crucial to finding real issues.

He suggests that the Top 10 should be seen as the minimum security standard or table stakes for any software development. But he also points out that the Top 10 could have unintentionally done a disservice by creating too much focus on itself and not enough on other potential security issues.

For this reason, Douglen prefers to discuss threat modeling, a more comprehensive approach to understanding and addressing security risks.

Show Transcript

This transcript was automatically created and is undoubtedly filled with typos. As usual, we blame the machines for any errors.

Elliot (2): Hello there, and welcome back to Adopting Zero Trust. We are at RSA Conference 2024. And today, we're going to do a little bit something a little different. We're doing a crossover episode. Which means, I'm going to hand this over to Chase. You'll give me a little spiel. Maybe tell the world about Dr.

Zero Trust Podcast, and then we'll go from there.

Chase: Yeah, so I'm Chase Cunningham, Dr. Cunningham, Dr. Zero Trust, if you want to be I don't know, cool or whatever. I host my podcast, we break down the realities, and we talk about the actual stuff you need to worry about, so if you're looking for truth, come to Dr.

Zero Trust. Maybe a little bit

Elliot (2): too raw. Very clear, transparent, very raw. But fortunately, we have two wonderful guests who are also going to be joining in that. Now, I don't want to Get too far ahead of myself. So I'll be, maybe we can hear about who you are, your background and yeah, where you're at. So,

Avi: My name is Avi Duglin.

I'm currently the chair of the global board of the OWASP foundation. For those that don't know OWASP, it's a non profit global non profit dedicated to providing resources and information to be able to build and test and deploy secure applications. That's what it's all about. In my day job, I run a small.

Elliot (2): Clearly the guy got his messaging down right. But if you don't know, I feel like you probably are not listening to the right channel. You've been in Iraq for the last 20 years. I would be a little concerned. I would pull your cyber card. Yeah, a little bit. Alright, Stan, how about you, man?

Stan: I'm Dr.

Stan Barr, I'll go with the doctor thing. But I'm Dr. Deception, so don't believe anything I say. I work at MITRE, I work at the MITRE Corporation. And I have, I've been working for the last probably 10 years on Cyber Deception. I built MITRE's ENGAGE framework, which is about how we engage with adversaries.

And I'm interested in all things about how we protect ourselves from adversaries, how we learn about adversaries, and all the rest of it. I've done a lot of research and a lot of different things.

Elliot (2): Perfect. Alright, so we've got a little bit of balancing act between the organization that has the top I don't know, application threads, what people are probably very familiar with but correct me if I'm wrong, one of the two your organizations recently just released something about ai protecting its AI too.

All right. Oass did, I dunno. There you go. I got Mitre Also

Stan: do that. So Mitre has a a framework as well, but I'll let you

Avi: go

Stan: first. Sure.

Avi: So os actually has a set of projects and you can check it out@oasai.org and set a project both about how to build AI application. And there's also a really popular LLM top 10 when you're deploying applications built on that.

Now, it's really interesting that these projects, of course, everything is open source and volunteer driven, but it's getting real traction and it's working with the European Union CRA initiative right now. And OWASP is now setting the standards that are going in to the EU CRA regulations and soon become laws eventually about what AI should do.

Very

Elliot (2): cool. All right, Sam.

Stan: MITRE has just released a framework, or it's been out for a little while, called atlas. mitre. org. And Atlas is all about protecting large language models, protecting AI, and protecting them from threats. I'll just leave it at that.

Chase: We need more collaboration there.

AI in front of something, that means it's actually AI, right? That's all this AI stuff. It has to be real AI. That's what we should take away from this. These are all AIs? I heard. Okay, are

Stan: we non player characters? I don't know. Okay, we'll find that out. I'm in

Chase: the seventh

Elliot (2): circle of Dante's inferno.

Stan: We'll figure it out. I will say, I thought every

Elliot (2): single booth was going to have AIs slapped on there. It wasn't as bad as I was expecting. It wasn't, yeah. Alright as you can obviously tell, we've got a pretty great panel here, which means we're able to talk about something we have not really been able to touch on, which is emerging threats and being able to get in front of them.

AI is a big piece of it. A lot of organizations here at RSA conference are trying to tackle it in various different ways, different flavors. But let's just pivot from there. Chase, I'm going to throw this over to you. You've been in the world of Zero Trust more than most folks. You followed John.

So from emerging threats, from things that we're facing today, what do you see is the biggest challenge outside of, AI and some of the other stuff that's still killing us every day?

Chase: The biggest thing, in my opinion, is that we still are relying on people not to be people. Phishing training is a waste of money.

There I said it at RSA, stop wasting your money. It's just a bad, you're pissing it away. That's one. The other thing is, start. I can't understand why organizations that I talk to still sit around hemming and hawing about engaging in cyber and strategy and whatever. It's, you have decades of proof, you have billions of dollars it's just a matter of time and it's not a FUD thing, it's just a reality deal.

You're, death, taxes and cyber security. So start doing something and as far as emerging threats go and whatever else, if you really look at it and I think the Verizon, Dibber and Mandy and M Trends report and everything Mitre publishes are like biblical references to me. You have a space where the bad guys literally tell you what they're going to do and people wonder how do we stop it?

Like you stop it where they say they're going to do the thing they're going to do. It's not rocket surgery. It can get complex, but if you make simple things hard, it's hard. This is the basics, the blocking and tackling the right way to approach the problem. It just makes a difference.

Elliot (2): So I knew you were going to give the right answer, which is that emerging threats are just different layers on top of what has always been the issue. And it's a people centric. So you got

Chase: to. It's a new flavor, it's a

Elliot (2): new branding, that's it. But at the end of the day, it's about people and psychology, as much as the technology that goes around it, solving it, all that good stuff.

Between your two groups, you have I know you on the Engage side, but there are, obviously there's the attack framework. People have TTPs, they highlight the different ways that organizations get hit. You all have, through research and data, the biggest things that you need to resolve. Those are I don't know, the easiest entry points or the most common vectors of attack.

So I'd just love to maybe dig into a little bit of how you have seen AI and some of these other challenges hit the market. How you're dealing with people, especially on the federal government side. Yeah, how are your organizations communicating these different changes in the face of it's still a people centric challenge?

Do

Stan: I'm not going to comment on spearfishing or fishing training, but it's stranger danger, right? It's if you want to go back to yeah, it really is. And it's about us being what the fishing training is supposed to do.

What all these things need to help us do is be conscious of everything we do now. And that's what we need to be like, why are you answering these questions? Why are you reading this email? Why are you putting your credentials into this thing, right? This is what we need to do is we need people to be conscious of what's going on.

I think that, and going more specifically to your point, I think that AI is problematic because it has a good recall. Like anything that you put into the, anything you tell a stranger now, they can remember for a long period of time, right? So there's that recall, there's a tailoring.

Once it starts learning what you want from all the interactions you give it you need to, it can tailor that, it can be big, it can scale, it can be one person or 100 people or 20 people, it can operate 24 7, AI can then, say, pressure release maintainers into giving up, the maintenance of a repo to give someone else a chance bad things happen, I think these are the sort of things we have to worry about with AI, I don't think it's I don't want to fear monger, right?

Fear mongering is bad. It's stranger danger. Figure out what you need to tell people on the internet. Why are you putting this stuff in? Why are you leaving it laying around? So I think those are the kinds of things we need to worry about more than a lot of other things.

Chase: I don't disagree with you.

Like I think fishing training and education is good, but I think relying on people not to be people and click links. This is stupid because I was a red teamer and you could fish and train people and I'll come the next day and get them. If I send you a kitty picture, game over. That's just what it is.

So yeah, train them, educate them, understand. But we also have 10 years of analytic data that says fishing is the number one vector for 10 years straight. Why are we continuing to piss money away when it doesn't make a difference to us?

Stan: Also having people have the word password as their password.

Yeah, that too. Let's Yeah, if

Chase: creds and phishing is the number one vector for 10 years straight, there's no question to me about what you solve for first.

Stan: Exactly. Absolutely. I think that's Zero days are, they are problematic, and they exist, but, like, how many attacks are just brute force on random creds?

Yeah. That's worrying about a

Chase: sniper round when there's a nuclear weapon getting ready to go off.

Avi: Or these really advanced attacks called asking for the password. Oh yeah. Cause people will give it to you. Oh yeah. Oh yeah.

Chase: Yeah, it's what was the joke a long time ago? There was a cartoon that had an NSA and a CIA guy.

Yes. And the NSA says, we gotta crack the algorithm, whatever. The NSA guy says, give me a wrench. He'll just beat him until he tells me the password. I think it was the other way around. No, something like that. The CIA guy. So this is, no. It's, I agree, like testing and whatever. But. On top of that, when you throw in the AI side, like you've seen my deep fakes, good luck keeping up with that because I can get by deep fake all day long, and there's been examples of that too.

So we've commoditized exploitation just like we've commoditized defense and it's, it is a arms race that is going to continue going on as long as we're digital until fallout happens. We're going to be in this space. We shouldn't be unemployed, which is good, but it just is what it is.

Yeah.

Avi: Listen, the other aspect is, we don't need to be chasing, you said, zero days is a problem, but that's not, we're going to get hacked out.

Elliot (2): Yeah.

Avi: And the interesting thing is that with all these new technologies, everything old is new again, right? Even, brand new technology, AI and LLMs.

And we have the LLM top 10. And one of the most interesting new risks on that list is prompt injection.

Chase: Yeah.

Avi: Injection. Has been in one form or another, has been on the OS top 10 since the very first version. SQL Injection. SQL Injection. Yeah. And other versions of Injection. It's Injection. It's trusting untrusted input to a trusted parser in an unfiltered way.

It's still the same thing with a different model. Once you break it down I spend a lot of my time doing threat modeling. Which is basically trying to simplify the entire system, understanding how it really works. And then you understand what can go wrong. And it's a lot of the same stuff all the time.

The crazy thing is I think it was 1999 some Microsoft folks came up with a framework called Stride. Spoofing, tampering, predation, revisions, closure, dial up, server to server, it was really this. The crazy thing is you could apply this to an LLM system today. AI system today. You're not gonna find 100 percent of the issues.

You're gonna find a lot. You have to be flexible in your thinking, but it's still the same thing. So if you get the basics It's done right. If you pay attention to the fundamentals, then these emerging threats are just passing scenery. Absolutely. AI is a big change, but the basics still apply.

Elliot (2): So I'm so glad that you position it that way because I want to pivot a little bit and we'll probably roll back right to where we were.

But there is a media literacy component to this too. Now, it's not just media literacy as in the organizations that have to cover these like zero day attacks. new breaches instance, all that stuff. There's also organization vendors who do their research and they're trying to highlight new, I don't know, unique things.

So things that fall outside of TTPs, outside of the top 10 and they obviously get more attention because they're novel, they're unique, they draw attention. So in your perspective, do you feel like that is a problem? It is. It's an unhealthy scenario where organizations just keep chasing after those big things.

Avi: You touched on the top 10, so I'm going to start with that. A lot of organizations follow the top 10 and they have compliance with the top 10 and there's a huge amount, almost all the vendors have built their tools around the top 10, scan for the top 10, basically building out compliance with the top 10.

The top 10 is not a standard, it's an awareness document. It's basically, hey guys, security is important, here's a bunch of different things. If you're worried about the top 10, I see this shirt all the time. I got popped by the OWASP top 11 and the top 25 and the 103. It doesn't matter. The top 10 is just because they're easy to understand categories, right?

Elliot (2): Yeah,

Avi: that doesn't help you understand what the actual system is. That doesn't help you find the real issues. If you get hacked by something out of the top 10. That's negligence, in my opinion, unless it's something real extreme. It's basic hygiene. It's basic table stakes. This is not for extreme banking systems.

If you put a cat log on the web, on the internet, you gotta, you have to watch out for the top 10 because literally the table stakes of having any kind of software development anything past

Elliot: that,

Avi: yes, people ignore it. In some ways, the top ten has done a disservice in that way. Too much awareness of the top ten and not awareness of everything else.

Which is why I don't talk about the top ten often. I talk about threat modeling. I talk about things like the ASVS, the Application Security Verification Standard. That is a standard. And you got two hundred and ninety security requirements to build into your system. This is how to do security engineering.

How to do security by design, right? This is what you need.

Elliot (2): What you got?

Stan: I, the strep modeling I think is the important thing. It's what are your gazintas? What are your gazatas? And, what goes on inside there? I think it's like it's always going to be, I don't think you can just worry about the top ten.

It's all, and I think the biggest problem is, This is no, not enough people are doing hygiene, right? This is like, how is it that not everyone has 2FA on everything today, right? I use multiple I have my Microsoft indicator on all my personal accounts and everything. I don't even understand when organizations say they don't have 2FA.

It just it's a simple things like this that we just have to deal with. And we're not effectively as a community dealing with this yet. And it's you try and. I do a lot of research. I'm sure you guys do a lot of research and there's this, all this thing about how we defend against high end threats.

And then you've got people who like use password as password, right? It's I don't know what to do. So I think,

Chase: We built this, we built the system where the punitive measures do not outweigh the incentivization, right? Because we've got all these compliance standards. Find me a business that's violated compliance standards knowingly to egregiously that has gone out of business.

They're not there. PCI, HIPAA, HITRUST, whatever, you do it, it's the cost of business, they allocate money, they pay the fine and go on about their day, and then nothing changes. It's, if we built airplanes the way that we build digital infrastructure, there'd be eight of them out in front of the MOWASPone right now in heaping piles of rubble.

But nobody would be punished. It would just be like, Oops, sorry, we forgot to put the door on Boeing, so whoopsie, no big deal. Until we change the punitive measures for like negligence and other things that we have in other areas, it's not going to make a difference. And that I don't think until the legislation, until the leadership from top comes down and says, if you don't enable MFA for three years on an internet facing account, it's not a oopsie.

It's you're going to prison for a year. That will change things. You know what I mean? That's where we start to change stuff. We're having AK filings. We're having CISOs having to answer. For stuff, the golden parachutes are there, whatever else. But literally if this is a critical infrastructure space where people have died and I published, I read and published the research this year.

I've pirated some of the research really around that. There were, I think it was 86 humans died because they were unable to get medical care because of an outage. If a hundred Americans died from any other thing, it would light the world up and it would change stuff, but because it's cyber, because it's digital and nebulous, right?

He just go, where's the nerd? Somebody let the firewall open. Like it's not real. So in my opinion, we've architected the legalization, the compliance standards, everything else to be fraudulent. And until we change it and actually enforce it, nothing's going to actually change. All of this is great, but it doesn't change anything.

Avi: Can I jump on that with two comments? Number one I don't think it's the CISO that should be punished here. No, I think it's the whole board, the CEO, everybody. And. The engineering organization. Oh, sure. They're the ones who build the systems, they need to build it right. Yeah. CISO is a check, support system, whatever you want to call that.

But it's the engineers, I'm not saying every, programmer. Somewhere a developer right now is ah, geez. Listen, it's not the developers. Developers do what they're told, right? It's the entire engineering organization from the VPR& D and the CTO on, and up, right? But there's also a difference between

Chase: Misconfigurations that are done, whatever, and overt negligence.

Most of what we see that's egregious is overt negligence. I agree with you 100%. And it adds into the internet for years on end. You should be shot out of a cannon into the sun.

Avi: SQL injection on the login page, which still happens. Shot out of a cannon into the sun.

Chase: We should just build a giant trebuchet and just start launching people into the sun.

I'm sorry, I just, like

Avi: The other thing I want to touch on, you basically posed a formula here and say we need to increase the punitive. I can't disagree with that. That makes sense. But I'd rather focus on the other side of that. Because there is value to be had in actually doing it.

In doing it right. you. But

Chase: my point is, we've built a system where that doesn't equate. And we have plenty of research and plenty of publications that tell people unequivocally, data driven, if you do these basics right, it will save you money in the long run. Which all of us are here because money is a thing.

Like we've already changed that. The incentivization is there. The incentivization is not suck and not get pwned and whatever else. What we should do is implement a tax break for organizations that are cyber efficient is what we ought to do. That's not

Avi: bad. I like that idea. But saving money is not value.

What value is what businesses are. Businesses don't exist to save money. Sure. They exist to make money. Sure. And you can make money from security. From a secure product. I don't mean selling secure products. Now, nobody pays extra for security. You don't pay extra to have seatbelts in your car. But if you're buying a car that doesn't have seatbelts, you're going to either pay less or not buy it at all.

If it

Chase: was fishing training, they would tell you, look, we have a seatbelt, make sure you buckle it right before you get in a wreck.

Avi: My point is there is value to be had by doing things right. It is more efficient, as you say. There's a safe money, safe time, all that stuff. But you can actually generate, and I don't even mean for security products.

Oh, yeah, whatever it is you're selling. We protect your information, whether it's privacy, security, whatever you want to call that. However, you want to look at that there is value to be had. We need to be driven by that business value and not check the box compliance.

Chase: Totally. And I would love to see an experiment where if we came up with one line in the tax code that said, if we can validate your security posture and it's acceptable, you get a tax break.

The entire system would change in a month.

Avi: The interesting thing is that OWASP actually has a few projects in place to set that up, to do that verification, whether it's things like

Chase: legislators that listen to this, call OWASP. Whether it's things

Avi: like Cyclone DX and, software building materials with cryptographic attestations to what is built into that.

To things, to standards like ASVS and SAM. Yeah. If we have EPA

Chase: standards that you get a tax break on because your building is reflective and shiny. Yeah. Why can't we have a cyber security tax break? Love it.

Elliot (2): Makes sense. Maybe that's how you reduce insurance

Chase: premium. That would be my stomp is cyber tax something.

I don't know. That

Avi: was the first step in getting seatbelts and cars more, more safe. There you go. If you have this, then we will give you a discount and eventually became a requirement. Yeah.

Stan: One of the things we talked about, like compliance is yesterday's problem, right? It's just it's don't let this happen again. And it's where I just wonder, like, where's resilience in your guys has thought about building things that are resilient to attacks. And I think it goes to, this is I don't know how we move that incentive from this idea of let's not get honed by the same thing we did yesterday, but how do we start thinking about the architecture?

So we can be more, more resilient going forward. So we don't have to, but people should not be just worried about yesterday's and that's a problem. And that's. That's what I see all the time. It's just I followed exactly what I was supposed to be compliant and it happens. Case of rock is rock.

So how do we actually work towards getting more resilient? I wonder if you guys have any thoughts on that or

Avi: Yeah, let me just check that in there. I'll jump in on that because it's gonna sound like a broken record, right? There's three parts to this. What are you building soft?

This S. V. S. Gives you the security requirements. Do this right. If you build it according to this way, you're secure. Level 3 SVS, you don't need to worry about specific attacks, you're going to be resilient. You go, you build your software process using something like OASP SAM, Software Assurance Maturity Model, right?

You get, it covers the entire software development life cycle end to end, and it's a maturity model so you can build up over time in different, various different areas, and if you're doing things right, even if there are mistakes, you will catch it, because that's how the process works. And My third drum that I always bang on is threat modeling.

I've already said three times. But then you know how it's working. You understand the issues. You don't need to worry about what will happen because you know what will happen. That's what threat modeling does. It gives you that visibility and understanding how to build it right. Yeah.

Chase: Works for me. Now just make it a thing.

That's where we're at is weird. I think we're at a critical spot after we've gotten past COVID and everything else. And I, unfortunately, the military guy in me sees that until a substantial event and loss of human life occurs because of a cyber related event that is clearly tied to it, it's not going to make much difference.

Now, even though we know last year we lost nearly 100 Americans because of the cyber thing until, I don't know, cruise ship just. Falls over or something because they put all the water on the side where the people were not eating or something. I don't know. And it just tips or something, but until it's, until there's bodies, it's not real and that's a problem.

Yeah. Digital loss of money. So what digital loss of blah, blah, meh, but critical infrastructure. We can't go three days without a water system showing up without an electric grid. Like I, I don't know how much more it takes to finally say, let's do something different. We're in election year.

There's so much going on buy ammo because I know I can take care of me

By generators by ammo like that type of stuff. All right more centering

Elliot (2): That brings us to a time and not for any reason that you just give me no just kidding Avi Stan Thank you so much for chatting. And I, if anything, and I know we're preaching to the choir because both of our audiences that overlap them, this is about being defensive, proactive.

Yeah. We'll use the shift left conversation, but ultimately this still wraps back to zero trust. It is verify everything. No one, no inherent trust. And stop worrying about lists. That's a top 10 focuses on threat modeling.

That's the philosophy of it. It's not just, having fun in the back room with a hoodie on. That's not really how our space works. It's about empathy, people centric, and I think you all have definitely communicated that.

Chase: Agreed. Huge fans of everything you guys do love, love the stuff I read, Mitres everything.

It's just, you guys publish this amazing content.

Stan: Yeah. Thank you! Yeah, for all you do too.

Chase: Yeah.

Stan: All right.

Elliot (2): Thank you.

Announcer: Thank you for joining a Z T an independent series. Your hosts have been Elliot Volkman and Neil Dennis to learn more about zero. Go to adopting zero trust.com. Subscribe to our newsletter or join our slack community viewpoint express during the show did not reflect the brands, employers, or companies of our hosts, guests or potential sponsors.