In this weeks episode of the Won Percent Podcast. Mike goes to his first bachelor party. The Jeff gets the East Cleveland court experience. Beans get Fleming’s catered to the house. Michael Sutton shares some of his experiences from the last 15 years of imprisonment. All this and so much more in this weeks episode of the Won Percent Podcast. --- Support this podcast: https://anchor.fm/won-percent/support
Michael Sutton, Yoga Teacher, Holistic Health Practitioner
Michael Sutton has over 40 years experience teaching the principles and mechanics of mind/body connection through martial arts, yoga, and meditation. He is a yoga teacher, martial artist, facilitator of discussion groups, and spiritual activist. He is also the founder and director of Rising Sun Yoga. His passion is teaching and helping others to experience insights. A certified and registered Hatha and Iyengar-based yoga teacher and a karate instructor, he lives as holistically as he can - contemplating, meditating, visualizing, feeling, eating smartly, staying fit, practicing yoga and other movement forms, and having a healthy outlook. Michael believes that thoughts and their attendant feelings are more powerful than anything you put into, or let come out of, you. Those same thoughts and feelings create ultimately your beliefs and perceptions.He has experienced many injuries including torn ligaments and tendons, ripped muscles, broken bones, fractured ribs, sprains, strains, tears, aches and pains, vertebral problems as a result of engaging in team sports, and kidney challenges. He finds the only benefit to having experienced these injuries is that he understands what others have experienced, can teach people how to move properly, help re-align and balance themselves, and assist them in regaining a healthy lifestyle.He knows that thoughts and feelings, when directed properly, can heal the physical body. He has embarked on a program of physical healing in alignment with the teachings of Dr. Joe Dispenza, the HeartMath Institute, Gregg Braden, Bruce Lipton, Neville Goddard, and Anthony William.Formerly a practicing herbalist, Iridologist, and health consultant, Michael has learned to address issues holistically and has continued his education in key health related areas, conducting research through topic-related books and as a result, has had the privilege of helping many people. He also presents health-related topics to organizations and groups.A large segment of his life was spent studying martial arts (27 years) before being introduced to yoga in 1999. During some of that time, he spent 20 years in the banking and software industries.Michael founded Rising Sun Yoga to help people change the(ir) paradigm, bring people together in community, and create a center for education. His classes can be slow and even, mindful and steady, or strong and flowing. Usually his classes are a combination of all of them giving you an opportunity to explore and stretch your boundaries. He is a Yoga Alliance (YA) e-RYT 500 hour Certified Yoga Instructor.He offers both group classes and private sessions. For private classes, he can be reached at Michael@RisingSunYoga.com or at 716.632.5802. He also offers therapeutic yoga for anyone with injuries or chronic conditions.
Michael Sutton: The future of zero trust (and how we'll get there)
The Secure Communications Podcast
Stonemill Ventures Founder Michael Sutton knows a thing or two about secure communications. As the former CISO of ZScaler and now an angel investor, he's been involved in multiple companies doing cutting edge work in cybersecurity. In this episode of The Secure Communications Podcast, he talks about the concept of "zero trust" and how it is designed to solve the challenge of user risk. Never has this topic been more relevant than now. With the Coronavirus driving organizations to send their employees to work from home en masse, securing teleworker access to corporate networks is critical. Traditionally, the work from home security challenge was solved by installing VPNs, but in today's world, the organization no longer has control over where its employees are working, how they're connecting, or what devices they are using. Zero Trust was developed in response to just this challenge. Listen to the episode, or read the full transcript below, to hear Michael's insights on Zero Trust. Transcript Kathleen (00:01): Thank you for joining today's episode of the Secure Communications Podcast. I'm your host Kathleen Booth and today my guest is Michael Sutton, who is the founder of StoneMill Ventures. Welcome, Michael. Michael (00:39): Thanks for having me, Kathleen. I appreciate it. Kathleen (00:41): I'm looking forward to talking with you. Before we dig into our topic today, can you share with my listeners a little bit about yourself, about StoneMill Ventures, and your background and how you came to be doing what you're doing today? Michael (00:54): Yeah, for sure. So I've been in security pretty much my entire career. I spent the majority of my career in startups as an operator in IT startups in the security space. Typically I was the guy who would build the research teams and the last role that I had in that world was with Zscaler. I was one of the original employees. Zscaler stayed there for a decade. Ultimately I became the CISO of the company and got into investing later during that time and just really fell in love with angel investing. I've always loved building things and that's why I was in the startup world. And then as I became an investor, I loved the fact that I was doing that, but doing that with multiple companies and amazing founders who were pouring their all into these great new startups. And I kind of decided that that was the path that I wanted to go down. So when ZScaler went public, that opened the door for me to step down and do investing on a full time basis. And so that's what I do now. I do full time investing and pretty much exclusively focused on cybersecurity. Kathleen (02:04): Boy, as a side note, I can really relate to that because I owned a business for 11 years and when I decided to get out of that game, I had a lot of different options and with where I was in my career, I think a lot of my peers tended to gravitate towards larger companies. And as somebody who's owned a business, I love growing and building things. And so I too had that kind of affinity to startups. It's a very particular world and it's not for everyone, but I think if you've got that entrepreneurial bone, it's a pretty good way to address that need in your life. Michael (02:39): Yeah, totally agree. And I always say being an investor is like being the uncle as opposed to the parent where I get to have all the fun and work with these founders and get to work on the ideas. But then when things get really tough, I can go over and help another one and hand the baby back to them. So, it's kind of the best of both worlds. Kathleen (02:59): That is awesome. Less stress. I love that analogy. Well one of the reasons I was really excited to talk to you is that on this podcast we look at all things relating to secure communications, which admittedly is a pretty big umbrella. And one of the topics that has come up again and again is this notion that at the end of the day you can have an amazing security architecture, but your end user is still in many cases your greatest risk. And that has really led to the advent of this movement towards zero trust. I know you've got some thoughts on that. You've been looking into it, you deal with a lot of different companies that are playing in and around that space. And so I'd love to just start out by getting your thoughts on the advent of zero trust and why you think that the time is now for it. Michael (03:58): Yeah. So I think it's especially pertinent now given that we're all working from home and we can dig into that deeper as we go. But you know, working remotely and having technologies to do so is not new. We've been doing that for a few decades now. But historically the way we would do that was using VPN technology, virtual private networking technology. And now we're starting to see new technologies like SDP, software defined perimeter, and we can get into kind of the differences between those. But the concept of zero trust encompasses a few things, but obviously the connectivity pieces is core to that. And so you need a technology to be able to do that. Now, the term probably originated about a decade ago. I know Forrester, John Kindervag at Forrester was pushing this probably back in 2010 and he's probably the guy who first coined that. Google has been talking about zero trust, although they typically talk about it under the moniker of their beyond corp initiative. Michael (05:05): So they've kind of been doing internal business that way for a long time. And really, the philosophy is that we're changing a paradigm on how we connect remotely. Whereas we used to have this philosophy of we just build an impenetrable fortress, all of the assets are in the castle and we have the impenetrable moat around it, and we decide if you should gain access and once you gain access, you're good. Now that worked when we were in a world where the corporation controlled all of the assets and they all sat in one place. But obviously the world has changed dramatically. And that's not the case. You know, typically, I'm working remotely. I am on a personal device. I am using a cloud based resource. So the enterprise no longer controls the device. They no longer control the network, they no longer control the data. Michael (06:02): So zero trust kind of shifts the focus from saying, Hey, we'll make sure you're a good person and then we'll let you into the fortress to, we're just not going to trust anybody. We don't care where you're sitting. You could literally be at your desk on the corporate laptop. I'm not going to treat you any differently than the sales guy who's sitting at the airport on his iPad. I'm just going to assume that everybody's untrusted and I'm going to authenticate you in real time specifically for that task that you're trying to complete. And once that's done, it's done. And then we'll worry about the next request when the next request comes. And so it's a very different philosophy on how we handle remote connectivity. Kathleen (06:45): It's interesting to me because I think one of the guests I just spoke with in a previous episode, that episode was all about the human factor and why it's been so difficult to solve because that's not a new issue. You know, you have your end users and you can build these amazing technologies to protect the corporate network. You can put in place great security solutions, but you still have people on there. They're unpredictable behaviors and they're doing the things that are easiest and most comfortable for them whether or not they make the most sense from a security standpoint. So it's interesting to have this conversation on the heels of that because I feel like that is sort of where we've come to is that even with well-meaning end users, there are still behaviors that they will engage in that with the best of intent put the corporate network at risk. So, what is the implication of zero trust not being solved? What do we stand to risk if we can't put an architecture like that in place? Michael (07:56): Yeah. So, you know, the world is changing and so we have to adapt with it. And if we don't, it's really gonna impact not only security but our productivity. Like if I say, you know, let's be really archaic and say you can only work in the office and you can only work on the corporate issued laptop or desktop, well right now your company would be shut down because that is not an option. So that's a bit of an extreme example, but I think it illustrates where we're headed. And I think it's also important to know, you know? Often I'll get asked like, Hey, what are zero trust technologies? Zero trust is not a thing. It's not a technology. It's really a philosophy. It's what we talked about earlier where it's just changing the paradigm on how we do security, how we decide who is allowed to do what and when. Michael (08:45): So it's really a combination. It is a collection of technologies. Everything that is used to handle that authentication, that connectivity, figure out the risks associated with it. So it's actually multiple technologies. And it's a change in the philosophy and we're doing security at a separate layer whereas we used to do security at the network layer, what I was talking about before, like, Hey, we'll decide if you need to get in and we'll give you that open pipe to do whatever you need. And now we're really doing security at an application layer where we're doing it specifically for whatever task you are trying to achieve at that time. So again, zero trust is not a thing you know? It's really an approach. It's a philosophy on how we do security and it's just, it better fits where the workforce is headed and gives us much more flexibility and ultimately hopefully more security as well. Kathleen (09:44): Now when you look at the landscape of organizations, and organizations being a really broad term, encompassing private enterprise, government, you know, nonprofits, educational institutions, you name it, when you look at the world of organizations and then you think about the varying degrees of zero trust implementation from zero, I haven't done anything with it to 10, perfect world, I've got it completely on lockdown. Where are we right now? Sure. Michael (10:15): Well, I think we've just gotten a shot of adrenaline, and that may be a silver lining of this pandemic that it's forcing us to kind of accelerate some of our thinking and how we do things. But you know, where we're at, different companies, so as I mentioned earlier, like Google was talking about this publicly back in 2010 where, and they weren't selling products related to it. They were talking about, Hey look, this is where we think the world is headed. And so we're internally building tools and technologies to allow us to do this. So they were certainly ahead of the curve. I think on the other side, more conservative organizations like especially federal government, Intel organizations, things like that, they're moving more slowly, more cautiously toward that. And those that simply aren't able to put a lot of money into innovative technologies like not-for-profits, they might not be doing it as much. Michael (11:13): But you know, a couple of things there. One, it's no longer a costly venture. As we move toward more SaaS based services, cloud based services, you know, that's one of the beauties of technologies like that you don't have to build and buy and maintain and set up and infrastructure, you know, you can literally rent that infrastructure. So some of these cutting edge technologies are accessible to everybody in a way that they never were before. And then back to my earlier comment that this fact that we've suddenly had to go from maybe a handful of remote employees to all remote employees, is really forcing to rethink things and say, okay, from a couple of perspectives, I think companies, number one, they just have no choice. It's either shut the doors or figure out a way to handle remote work and zero trust is a platform which enables them to get there. Michael (12:09): You know too, I think when the dust settles, a lot of these companies and employees are going to revisit this and say, this wasn't such a bad way to work. Companies are going to say, I didn't have to pay for office space. Employees are going to say I didn't have to sit in the car and traffic for an hour every day. So we were always moving in this direction. We were always moving toward cloud and SaaS and mobile devices and personal devices and suddenly I see us getting the shot in the arm that's going to cause that trend to accelerate. Kathleen (12:38): Yeah. I'm already hearing those conversations. You know, it's really interesting, both on the employee side of, I don't know if I can go back to 40 hours a week commuting in and also on the corporate side of companies saying maybe we should renegotiate our leases. Maybe we should downsize our space or get rid of our space. So that is interesting. I liked that you mentioned costs because my question, following on what you were talking about, was going to be, what does zero trust do to the cost of a security solution. And you said it doesn't increase it, but it's interesting to me why that is. Because on the surface, when you think about introducing that added layer of like check and balance at every new, call it, action that an end user will take or every new entry point or every new task, it seems like it would seem as though that's adding layers of bureaucracy and security solution architecture design. Is it just that these products are now being developed so that it's so baked into the system that it doesn't introduce a lot of inefficiency and additional costs. Michael (13:42): So let me answer that from a big picture perspective. So I wouldn't suggest to someone that, Hey, you can just throw out everything you're doing and move to a completely different security paradigm and it's not going to be costly. It will be costly because you're going to have to fundamentally change a lot of what you're doing. Now if we go even a step above zero trust, Gartner is now talking about SASE. That's sort of their new buzz word and it stands for secure access service edge. And really what they're talking about is zero trust is a component of that. What they're talking about is, Hey, look, world is changing and so let's combine everything that we need to do to get there. And they're combining the security and the networking technologies under one umbrella, which makes sense because it's pretty hard to separate the two at this point. Michael (14:32): Everything's interwoven. And they're saying we're now delivering security and networking in cloud based solutions, whether it's infrastructure as a service or SaaS based solutions, things like that. And that encompasses a lot. Zero trust is one piece of it. But things like your SD WAN technology, your secure web gateway is all under that umbrella. So if you're going to do zero trust properly, it's not a small endeavor. It's not just well, okay, you used to do things the old way and just give people network level access and now flip a switch and we're going to do zero trust. No, you're going to fundamentally change your network architecture, your security architecture and your security philosophy overall. So, that is going to be a costly and lengthy journey and you're not going to just rip it out and start from scratch and do it overnight. Michael (15:36): It's probably going to take several years and you know, as certain technologies come up for renewal, you're going to start replacing it. Now, if you're a greenfield company, it's very different. I mean if you started a brand new company tomorrow and you just started hiring people, let's say you're a small company, you're less than 20 people. I mean that's just the way you would do it. You wouldn't set up an email server, you wouldn't set up file sharing, you wouldn't set up servers and clients. You would go and set up your G suite and sign up for some SaaS services and you would hit the ground running. So you would go down the zero trust path from the get go. So it sort of depends where you are as a company based on how challenging, timely, costly, this movement will be. Kathleen (16:27): So have you seen any companies right now that you think are kind of the standard bearers for how this should be implemented? I mean, you mentioned Google. I'm assuming that they've gotta be drinking their own champagne. I like that phrase better than eating their own dog food. But other than Google, are there any out there in the wild that come to mind that you think are really leading the pack with this? Michael (16:51): Sure. Going to my statement about how if you were starting a company now, prior to my time as an invester, I was at Zscaler for a decade and we really drank the Koolaid, the zero trust Koolaid, for good reason. That was a big part of our business that we were selling, but that was really core to our philosophy. We're very adamant that we were going to do everything in a SaaS based model. You know, everything was going to be single sign on. We weren't going to run servers. I still remember a conversation, you know, as the CISO focused on security technologies and I was looking at this technology from a well known, but I'll keep unnamed, vendor. And they said, Oh, you just have to install this component on your internal servers. I said, I can't, so what do you mean? Michael (17:41): Like it's, you know, it's just this little virtual thing you just decide. I said, I don't have any servers. And he looked at me like I was nuts. At the time we had two employees, so we weren't a small company, but that was core to our philosophy and although we were kind of bigger than most companies that would have been die hard on the whole zero trust philosophy. That was the reality. And I think that any company that starts running today, we'll follow that same path. I think technology companies, especially any technology company that's started within the last half dozen years, that's just a given that you're going to go down that path. Kathleen (18:20): And you know, obviously with this kind of a shift, you're moving from taking ownership of your security at the local level to really, I guess for lack of a better term, outsourcing that to the cloud providers. How confident can companies be that their cloud providers have this all on lockdown? Michael (18:44): Sure. You know, that's a question I'd say I get less now because we're more comfortable with it. But I used to get hammered with, well, since this is security, I can't outsource security. And to me, that's not really a decision right? There is one thing you can't, whether or not you're doing that in house or you're doing it in the cloud, you still can't outsource the responsibility. Michael (19:13): I would absolutely argue that for the vast majority of companies, if you hire the best security talent, you know, entice them because they were coming through this really cool growing company that was doing some really fascinating stuff. It's pretty hard to get good security talent when you're a widget factory. So I think the vast majority of companies would see far greater security when they move to cloud providers because that is their key focus. Kathleen (20:15): So now you mentioned before that zero trust is not a technology and I think you made a great point about that. It's a philosophy, it's a culture within the organization. Having said that, are there some technologies or providers that you're particularly excited about with regard to, you know, them doing really cutting edge work that's gonna feed into the ability to solve for zero trust? Michael (20:40): Yeah. So I think, you know, again, zero trust kind of has all these components. It's got an authentication component, an identity access management component, and a security component. But I think a key part of it is, for those remote employees, there's the connectivity piece and that's where we're seeing a shift in the way that external entities will connect to a system. Whereas historically, we would use VPN technologies, now we're moving to something called SDP, software defined perimeter. And really to kind of just summarize the differences between the two, VPN is a ,networking technology. So, ,the idea is I would connect to somebody at one time, ,authenticate them, make sure that, Hey, this is a trusted person, trusted device, but once they're in, they're in and then they can do whatever they need to on that network. Access whatever resources... Kathleen (21:33): Keys to the kingdom, right? Michael (21:36): Now it's not wide open. I would use access controls within the environment, but that's sort of a separate thing. I have to do a good job on that if I make a mistake. And you know, some of the big data breaches in the past have resulted from that. A really famous one is target where an HVAC vendor had the network connection or VPN connection and obviously it wasn't locked down and I mean, all they were supposed to do is check the HVAC systems, but the attacker was ultimately able to leverage that to get to the point of sale systems. So software defined perimeter, which is a zero trust technology takes a very different approach. It's not network level access, it's application level access. I'm not getting a connection at the beginning of the day and then keeping it open. Michael (22:25): I'm connecting as I need it. So I'm in an application, it needs to access a file that could be anywhere. And that's an important part of it. It's really transparent to the end user. Could be in the private data center of the company. It could be sitting in AWS, could be on internet resource. It doesn't really matter to me. I just know I need to get it. So it would establish that connection at that time for that purpose, and authenticate me. And once I'm done, I'm done. It doesn't mean I have to type in my password every time I change a cell in an Excel spreadsheet that's transparent to me because other technologies like single sign on are taking care of that. But that's kind of the core difference philosophy. You know, a networking level technology like VPN or an application level connectivity technology like SDP or software defined perimeter. Kathleen (23:12): Great. And any companies out there coming to market with really interesting products to solve that? Michael (23:20): Yeah. So there's a lot of players in the SDP space. Zscaler, that's a big part of our business. A lot of the networking VPN companies have pivoted. You know, the Checkpoints of the world, the Pulse Secures. I'm also seeing a number of startups. In the past year I've had some companies pitched to me like Meta Networks and New Edge, both of which have actually already been acquired. And that's not entirely surprising to me, because it's an increasingly hot space, but also because you need agents on all the devices and it's increasingly hard to convince the CISO to install agents on thousands of devices. So, the incumbents have a leg up because they already have that real estate taken care of. So a lot of them are leveraging those same agents to now offer an SDP kit, the abilities. So a lot of it is kind of the usual suspects in the networking space, the VPN space, that are now offering this as functionality. They're Acquiring SDP startups to get there. Kathleen (24:30): Great. All right. Shifting gears. I have a couple of questions I typically ask my guests and I'm curious to hear what you think. I guess the first one being, you know, with the way that we communicate and manage data changing so quickly, what do you see as the biggest challenge that we're going to face with respect to securing communications in the next few years? Michael (24:55): Yeah, so I'll give you two answers to that. One very immediate term and one longer term. You know, the immediate term as we were discussing, you know, we feel forced into the sudden change of everybody working remotely. Well at some point we're going to have to go back. I think the new normal will not look like the old normal for a lot of different reasons, some of which we discussed. But from a security perspective it's going to be tough to roll that back. You know, companies quickly throw the policies and the rules out the window because, you know, we just had to stay functional. So, you know, it might've been like, Hey, you could only work two days a week, or Hey, you can't access that server unless you're in the office. And suddenly that got chucked out the window and it was like everybody gets everything. Michael (25:36): Well, what happens when we go back to work? And that has to get real bad. And as a guy who's worked in security most of my life, I know I'm drawing a line in the sand and holding to this one thing. Coming into a new company and saying, okay, all the stuff that you used to have, all this flexibility and access that you used to love, it's going away. That's really hard to do. So I think, recalling these rights is going to be an immediate challenge. But I think the longer term challenge, security talent is really the biggest challenge that we're going to face. You know, there is a major shortage of security talent. And that's one reason why as an investor, I'm very interested in companies that can help. It'll make things easy for companies to do security. Not, I don't really need expertise. I don't have to build this massive, expensive and heavily staffed security operations center. So that's always going to be a challenge that we're going to face. Kathleen (26:36): So what new security technology are you most excited about in the next five years or so? Michael (26:43): Yeah, so I spent a lot of time looking at artificial intelligence, machine learning, technologies in that, you know, it's a fascinating space and unfortunately, much of what you hear is hype. We're not there yet. I'll be the first person to tell you that AI and ML is not a silver bullet to solve all of your problems. Michael (27:08): But you know, there's no doubt that that's where we're headed. Now, anytime I get a pitch where it will, number one, I don't think I could possibly get a pitch where the person doesn't mention AI and ML. Like it's just, it's kind of a, you know, the belief is like you're expected to have and you are. Kathleen (27:26): How often do they really have it though? Because I've noticed people over and over, they have used those terms and use them liberally when they're not really accurately describing the product they're talking about. Michael (27:38): I'd say nine times out of 10 as I started digging and pulling on the thread, really once you get under the covers, it's the same old stuff. Signature-based technologies and things like that. But again, there's no doubt we're moving in that direction. So if I get a pitch where it's like, Hey, we use AI and ML to create this black box, it's magic and just put the data in and all your answers are coming out the other side, that's going to be a short pitch meeting because that's just not true. That's not the way it is. But, we are already at a stage where AI and ML can do narrow tasks quite well. Like giving an example, what we're not good at doing is just, there's unstructured data and it's, Hey, go find bad stuff in there. That's just too complicated. But if it's more specific than that, like, Hey, in this pool of data, can you tell me what was the human being and what was the machine? It's actually pretty good at that because machines behave in a very predictable manner. You know, they only go to a couple of domains and they only, and they do it at the same time of day. So it depends on what, you know, what problem you're trying to solve. But you know, absolutely fascinating and critical technology that is going to take time to live up to its full promise. But there's no doubt in my mind that it will be driving every security solution that we have in the future. Kathleen (29:00): So third question, company or individual, who do you think is doing really interesting and cutting edge work in the field of secure communications right now? Michael (29:12): Mmm, good question. So I think it's too easy to just say, Hey, we're going to throw out the old with the new. So let me give two answers to that. One, you know, it's important that we still are enabling and empowering existing companies that aren't able to move to some of these that we've been talking about because you know, I'm still going to have, for example, I might have legacy devices that I can't go install some SDP agent on. They still need a way to get in there. I'm going to have situations where I don't have control over that endpoint. Like maybe I'm not dealing with an employee, I'm dealing with a contractor or a consultant and there's something that's not going to allow me to install something in there. So I still need a way to be able to continue on with some of these technologies like VPN technologies. Michael (30:15): So Attila, who I'm on the board of, you know, they're really answering that challenge by having, you know, taking that technology and making it accessible in a way that it wasn't before in very small, hardware based devices that are very secure. And so they're able to answer some of those challenges for companies that have situations where they're not going to simply be able to just move to an entirely new paradigm. And then on the SDP side, Zscaler I think is really the market leader there that they've really pioneered a lot of this and made it so that it's very accessible and very easy to deploy. And you know, I think they've won a lot of people over, who have seen that, Hey, you know, this is where we're headed in the future. And you know, now with this workforce that is just a completely different workforce - it is remote and mobile - this is a new paradigm that we need to move to work. Kathleen (31:13): Yeah, no doubt about it. I think it's going to be hard to put the cat back in the bag at this point. Well, thank you for joining me this week Michael. This was really interesting and I loved hearing your thoughts about zero trust and where it's going. If you are listening and you enjoyed this episode, please consider leaving the podcast a review on Apple podcasts or wherever you choose to listen. We do want to hear from you and if you have an idea for a future episode or you think there's somebody we should interview, tweet us at @attilasecurity. In the meantime, thank you, Michael. It was great chatting with you.
The Gears & Grind Podcast S2 Ep11 - Pitching to Dragons (feat. Michael Sutton)
Gears and Grind Podcast
On this final episode of season 2 of The Gears & Grind Podcast I have the pleasure of Mike Sutton (former co-founder), now sole founder of Canadian BBQ Boys, a bbq cleaning company. Canadian BBQ Boys was started by Mike and his friend, Matt during the summer while they attended University of Guelph. Canadian BBQ Boys was such a hit, that they were able to not only appear on Dragon's Den. This episode is one you wouldn't want to miss, also I'd like to thank Mike Sutton for taking the time to come onto the podcast. Stay safe everyone and don't forget to wash your hands. If you're interested Canadian BBQ Boys www.canadianbbqboys.com Instagram: @canadianbbqboys
Here at Tim Marner we like to hear real people's stories. The term OCD is thrown around a lot, but we asked ourselves what really is OCD? We invited Michael Sutton who lives with OCD to truly understand what Obsessive Compulsive Disorder is and how it affects peoples lives on a day to day basis. OCD is more than just making sure your books are all in line or checking you've locked your door five times, Michael explains through personal experiences such as depression, eating disorders and even alcoholism that an OCD mindset can be a heavy burden to live with.
031 Michael Sutton talks about the use of gamification even when it didn't exist
Professor Game Podcast | Rob Alvarez Bucholska chats with gamification gurus, experts and practitioners about education
Michael has built his reputation as a Game-Based Learning Innovator, Architect, and Edupreneur. His current applied research and consulting focuses upon architecting and delivering immersive environments using serious games, workshops, and simulations. The initiatives leverage earning experiences by transforming key performance and quality indicators into increased learner satisfaction and institutional effectiveness. He has established an exceptional record of success in educational program delivery, learning communities’ development, competency-based assessment, and problem-based educational program management through innovative adult educational and online programs.
In episode 6, Dr. David Chandross interviews Dr. Michael Sutton, a fellow gamification guru and expert in game-based learning. They cover a myriad of topics over this 50-minute episode, namely the current state of gamification and where it's headed.
Michael Sutton and Adam Greene: The Art of File Format Fuzzing (English)
Black Hat Briefings, Japan 2005 [Audio] Presentations from the security conference
"In September 2004, much hype was made of a buffer overflow vulnerability that existed in the Microsoft engine responsible for processing JPEG files. While the resulting vulnerability itself was nothing new, the fact that a vulnerability could be caused by a non-executable file commonly traversing public and private networks was reason for concern. File format vulnerabilities are emerging as more and more frequent attack vector. These attacks take advantage of the fact that an exploit can be carried within non-executable files that were previously considered to be innocuous. As a result, firewalls and border routers rarely prevent the files from entering a network when included as email attachments or downloaded from the Internet.As with most vulnerabilities, discovering file format attacks tends to be more art than science. We will present various techniques that utilize file format fuzzing that range from pure brute force fuzzing to intelligent fuzzing that requires an understanding of the targeted file formats. We will present a methodology for approaching this type of research and address issues such as automating the process. Techniques will be discussed to address challenges such as attacking proprietary file formats, overcoming exception handling and reducing false positives. The presentation will include demonstrations of fuzzing tools designed for both the *nix and Windows platforms that will be released at the conference and the disclosure of vulnerabilities discovered during the course of our research.Michael Sutton is a Director for iDEFENSE/VeriSign, a security intelligence company located in Reston, VA. He heads iDEFENSE/VeriSign and the Vulnerability Aggregation Team (VAT). iDEFENSE Labs is the research and development arm of the company, which is responsible for discovering original security vulnerabilities in hardware and software implementations, while VAT focuses on researching publicly known vulnerabilities. His other responsibilities include developing tools and methodologies to further vulnerability research, and managing the iDEFENSE Vulnerability Contributor Program (VCP).Prior to joining iDEFENSE/VeriSign, Michael established the Information Systems Assurance and Advisory Services (ISAAS) practice for Ernst & Young in Bermuda. He is a frequent presenter at information security conferences.Michael obtained his Certified Information Systems Auditor (CISA) designation in 1998 and is a member of Information Systems Audit and Control Association (ISACA). He has completed a Master of Science in Information Systems Technology degree at George Washington University, has a Bachelor of Commerce degree from the University of Alberta and is a Chartered Accountant. Outside of the office, he is a Sergeant with the Fairfax Volunteer Fire Department.Adam Greene is a Security Engineer for iDEFENSE/VeriSign, a security intelligence company located in Reston, VA. His responsibilities at iDEFENSE/VeriSign include researching original vulnerabilities and developing exploit code as well as verifying and analyzing submissions to the iDEFENSE Vulnerability Contributor Program.His interests in computer security lie mainly in reliable exploitation methods, fuzzing, and UNIX based system auditing and exploit development. In his time away from computers he has been known to enjoy tea and foosball with strange old women."
Michael Sutton and Adam Greene: The Art of File Format Fuzzing
Black Hat Briefings, Las Vegas 2005 [Video] Presentations from the security conference
In September 2004, much hype was made of a buffer overflow vulnerability that existed in the Microsoft engine responsible for processing JPEG files. While the resulting vulnerability itself was nothing new, the fact that a vulnerability could be caused by a non-executable file commonly traversing public and private networks was reason for concern. File format vulnerabilities are emerging as more and more frequent attack vector. These attacks take advantage of the fact that an exploit can be carried within non-executable files that were previously considered to be innocuous. As a result, firewalls and border routers rarely prevent the files from entering a network when included as email attachments or downloaded from the Internet. As with most vulnerabilities, discovering file format attacks tends to be more art than science. We will present various techniques that utilize file format fuzzing that range from pure brute force fuzzing to intelligent fuzzing that requires an understanding of the targeted file formats. We will present a methodology for approaching this type of research and address issues such as automating the process. Techniques will be discussed to address challenges such as attacking proprietary file formats, overcoming exception handling and reducing false positives. The presentation will include demonstrations of fuzzing tools designed for both the *nix and Windows platforms that will be released at the conference and the disclosure of vulnerabilities discovered during the course of our research. Michael Sutton is a Director for iDEFENSE, a security intelligence company located in Reston, VA. He heads iDEFENSE Labs and the Vulnerability Aggregation Team (VAT). iDEFENSE Labs is the research and development arm of the company, which is responsible for discovering original security vulnerabilities in hardware and software implementations, while VAT focuses on researching publicly known vulnerabilities. His other responsibilities include developing tools and methodologies to further vulnerability research, and managing the iDEFENSE Vulnerability Contributor Program (VCP). Prior to joining iDEFENSE, Michael established the Information Systems Assurance and Advisory Services (ISAAS) practice for Ernst and Young in Bermuda. He is a frequent presenter at information security conferences. Michael obtained his Certified Information Systems Auditor (CISA) designation in 1998 and is a member of Information Systems Audit and Control Association (ISACA). He has completed a Master of Science in Information Systems Technology degree at George Washington University, has a Bachelor of Commerce degree from the University of Alberta and is a Chartered Accountant. Outside of the office, he is a Sergeant with the Fairfax Volunteer Fire Department. Adam Greene is a Security Engineer for iDEFENSE, a security intelligence company located in Reston, VA. His responsibilities at iDEFENSE include researching original vulnerabilities and developing exploit code as well as verifying and analyzing submissions to the iDEFENSE Vulnerability Contributor Program. His interests in computer security lie mainly in reliable exploitation methods, fuzzing, and UNIX based system auditing and exploit development. In his time away from computers he has been known to enjoy tea and foosball with strange old women.
Michael Sutton & Greg MacManus: Punk Ode - Hiding shellcode in plain sight
Black Hat Briefings, Las Vegas 2006 [Video] Presentations from the security conference
Injecting shellcode into a vulnerable program so you can find it reliably can be tricky. With image format vulnerabilities, sometimes the only place you can put your code is in the image itself. If a file attempting to exploit one of these vulnerabilities was rendered using a non-vulnerable application, the ‘strange’ files might raise some suspicion; a file containing a NOP-sled and shellcode does not tend to look like any normal photo. What if shellcode could be injected in this way without significantly altering the appearance of the file? What if the entire file could be transformed into executable code but the original image or sound could still be rendered? In this presentation we will present Punk Ode, which combines concepts from steganography, psychophysics and restricted character-set shellcode encoding to hide shellcode in plain sight. We will discuss how to convert a media file into a stream of valid instructions while leaving the initial images/sounds intact so as not to raise suspicion. We will also release a series of tools designed to automate the generation of such files. Michael Sutton is a Director for iDefense/VeriSign where he heads iDefense Labs and the Vulnerability Aggregation Team (VAT). iDefense Labs is the research and development arm of the company, which is responsible for discovering original security vulnerabilities in hardware and software implementations, while VAT focuses on researching publicly known vulnerabilities. His other responsibilities include developing tools and methodologies to further vulnerability research, and managing the iDefense Vulnerability Contributor Program (VCP). Prior to joining iDefense, Michael established the Information Systems Assurance and Advisory Services (ISAAS) practice for Ernst & Young in Bermuda. He is a frequent presenter at information security conferences. He obtained his Master of Science in Information Systems Technology degree at George Washington University and has a Bachelor of Commerce degree from the University of Alberta. Outside of the office, he is a Sergeant with the Fairfax Volunteer Fire Department. Greg MacManus is a security engineer for iDefense/VeriSign working in the iDefense Labs where he does a bunch of computer security research and vulnerability analysis. He obtained his Bachelor of Science in Computer Science at Otago University in Dunedin, New Zealand and during this time got quite good at doing the computer stuff and going off on random tangents. Aside from finding and exploiting security vulnerabilities and related computer security topics, he is also interested in image processing, data visualization, artificial intelligence, wordplay and music."