Cover image of Down the Security Rabbithole Podcast
(67)

Rank #192 in Tech News category

Technology
News
Tech News

Down the Security Rabbithole Podcast

Updated 5 days ago

Rank #192 in Tech News category

Technology
News
Tech News
Read more

Follow the Wh1t3 Rabbit ... attention technology and business leaders!The "Down the Security Rabbithole" podcast is not your ordinary security podcast, primarily because we take a business perspective on the colorful and fast-paced world of information security. Bringing useful commentary on relevant events in the information security community, filtered through a no-nonsense business first approach, this is a podcast that helps you get the sane perspective on hacks, risks, threats and technology that you need to help make decisions in your daily life and in your organization.

Read more

Follow the Wh1t3 Rabbit ... attention technology and business leaders!The "Down the Security Rabbithole" podcast is not your ordinary security podcast, primarily because we take a business perspective on the colorful and fast-paced world of information security. Bringing useful commentary on relevant events in the information security community, filtered through a no-nonsense business first approach, this is a podcast that helps you get the sane perspective on hacks, risks, threats and technology that you need to help make decisions in your daily life and in your organization.

iTunes Ratings

67 Ratings
Average Ratings
51
6
2
5
3

It’s all about that intro

By Phantom Physics - Sep 11 2019
Read more
This is by far my fav cyber podcast. Thank you James and Ralf.

Consistently excellent podcast

By thigley986 - Feb 16 2017
Read more
One of my go to security podcasts. Consistently high quality!

iTunes Ratings

67 Ratings
Average Ratings
51
6
2
5
3

It’s all about that intro

By Phantom Physics - Sep 11 2019
Read more
This is by far my fav cyber podcast. Thank you James and Ralf.

Consistently excellent podcast

By thigley986 - Feb 16 2017
Read more
One of my go to security podcasts. Consistently high quality!

Listen to:

Cover image of Down the Security Rabbithole Podcast

Down the Security Rabbithole Podcast

Updated 5 days ago

Read more

Follow the Wh1t3 Rabbit ... attention technology and business leaders!The "Down the Security Rabbithole" podcast is not your ordinary security podcast, primarily because we take a business perspective on the colorful and fast-paced world of information security. Bringing useful commentary on relevant events in the information security community, filtered through a no-nonsense business first approach, this is a podcast that helps you get the sane perspective on hacks, risks, threats and technology that you need to help make decisions in your daily life and in your organization.

Rank #1: DtSR Episode 288 - Experienced Opinions

Podcast cover
Read more

This week, while James was out on family duty, I sat down on a Saturday morning with my good friend Will Gragido to talk security. Will is an industry old-timer (sorry buddy, we're old) and has some seriously valid opinions on many things. We discuss some interesting topics, and apologize for nothing.

Highlights from this week's show include...

  • It's conference season again... and time for more buzzword bingo
  • Marketing people are the worst...except we're all complicit
  • Threat Intelligence. Again. Still. Yep.
  • Let's go hunting for threats - who should have a threat hunt team, and why
  • Mergers, acquisitions, and the future of our industry

Guest

  • Will Gragido ( @WGragido ) - Will Gragido is a seasoned security professional with over 20 years’ experience in networking and information security. Will’s extensive background is the result of his service as a United States Marine, a consultant with the world renowned International Network Services, Internet Security Systems (now IBM ISS), McAfee, Damballa, Cassandra Security, RSA Netwitness, Carbon Black, Digital Shadows and now Digital Guardian where he leads the organization’s Advanced Threat Protection Product Line as its Director.

Mar 20 2018

50mins

Play

Rank #2: DtR Episode 104 - JW Goerlich - Security Leaders Series

Podcast cover
Read more

In this episode

  • Who is J.W. Goerlich (redux from episode - 
  • How did he get to where he is now?
  • How does the security executive deal with the "moving finish line"?
  • JW discusses how 'security' people can break down barriers between "us" and "them"
  • We discuss why we still fail at the basics, and what all this means...
  • JWG tries to talk about his favorite controls framework
  • We discuss what difference it makes where the CISO reports in the enterprise
  • What will the CISO be, or need to do, in ~3-5 years?
  • We discuss hiring into InfoSec - from outside, or within ... and why?
  • JW gives us the one thing you need to remember

Guest

  • J.W. Goerlich ( @jwgoerlich ) - Results-driven IT management executive with a track record of building high performance teams and providing flawless execution. Leverages background in systems engineering, software development, and information security expertise to consistently lower operating costs and raise service levels. Designs solutions that support long-term strategic planning and create immediate impact throughout product lifecycle in process and efficiency gains.

Aug 04 2014

34mins

Play

Rank #3: DtSR Episode 234 - Straight Talk on National Security

Podcast cover
Read more

This week, the interview is extra special because we have a guest I've personally been following for a long while, and I finally got a chance to virtually sit down and talk through his considerable areas of expertise.

I'm pleasured to say we had a chance to sit down virtually with Professor Tom Nichols and talk international affairs, foreign policy and all the important things getting lost in the off-color political arguments lately. These are important issues to cyber security professionals that impact our daily lives - but rarely get discussed by someone with actual, credentialed expertise.

Enjoy this one, friends, I know we did recording it. I want to thank Tom for being an awesome guest and lending his time to our show.

If you want to read Tom's latest book, you can get it on Amazon, link HERE.

Guest

  • Tom Nichols ( @RadioFreeTom ): 

    Dr. Thomas M. Nichols is a Professor in the Department of National Security Affairs at the U.S. Naval War College and at the Harvard Extension School, where he worked with the U.S. Air Force to create the program for the Certificate in Nuclear Deterrence Studies. He is a former Secretary of the Navy Fellow, and held the Naval War College's Forrest Sherman Chair of Public Diplomacy. Dr. Nichols was previously the chairman of the Strategy and Policy Department at the Naval War College. Before coming to Newport, he taught international relations and Soviet/Russian affairs at Dartmouth College and Georgetown University.

    Dr. Nichols was personal staff for defense and security affairs in the United States Senate to the late Sen. John Heinz of Pennsylvania, and was a Fellow at the Center for Strategic and International Studies in Washington, DC. He is currently a Senior Associate of the Carnegie Council on Ethics and International Affairs in New York City. He was recently a Fellow in the International Security Program at the John F. Kennedy School at Harvard University.

    He is the author of several books and articles, including Eve of Destruction: The Coming of Age of Preventive War (University of Pennsylvania Press, 2008), and No Use: Nuclear Weapons and U.S. National Security (University of Pennsylvania, 2014). His most recent book, The Death of Expertise: The Campaign Against Established Knowledge and Why It Matters was released by Oxford in 2017.

    Dr. Nichols holds a PhD from Georgetown, an MA from Columbia University, the Certificate of the Harriman Institute for Advanced Study of the Soviet Union at Columbia, and a BA from Boston University.

Mar 01 2017

52mins

Play

Rank #4: DtR Episode 80 - Lies, Damned Lies, and #InfoSec Statistics [Guests: Jay Jacobs, Bob Rudis]

Podcast cover
Read more

In this episode

  • Jay and Bob talk about their new book
  • A discussion on using data as 'supporting evidence' rather than gut feelings
  • Do we have actuarial quality data to answer key security questions?
  • A discussion on "asking the right question", and why it's THE single most important thing to do
  • Bob attempts to ask security professionals to use data we already have, to be data-driven
  • Jay tells us why he wouldn't consider "SQL Injection" a "HIGH" risk ranking - and why data challenges what you THINK you know
  • Quick shout out to Allison Miller on finding the little needles in the big, big haystack
  • We think about why security as an industry needs to start looking outside of itself to get its data - now
  • Jay discusses how there is a definite skills shortage in working with large data sets, and doing analysis
  • I ask whether there is a chicken and egg problem in large-scale data analysis
  • Bob brings up the "kill chain" and whether we really need real-time data analysis for attacks
  • Bob makes a pitch for having a "Cyber CDC" ... stop laughing
  • Jay laments the absolute bonkers problems dealing with information sharing (when you don't have any to share)
  • Jay urges you to "count and compare"

Guests

Feb 17 2014

58mins

Play

Rank #5: DtSR Episode 271 - The Secrets of Influence Through Communication

Podcast cover
Read more

This week James and I are fortunate enough to have one of the best keynote speakers I've ever seen on the show. He's an amazing speaker, a brilliant magician and a sharp dresser - this guy is the real deal.

Straight off the keynote stage at the Security Advisor Alliance (SAA) Summit in Denver ... ok maybe not straight off, Vinh Giang joins us to talk about how to influence people while you're up there giving a talk or speech.

Grab something to take notes with - trust me, this one is chock full of brilliant nuggets.

Guest: Vinh Giang ( Twitter: @AskVinh and Facebook: https://www.facebook.com/askvinh/ ) is a brilliant self-made public speaker, magician, and all-around snappy dresser.

Nov 21 2017

45mins

Play

Rank #6: DtSR Episode 136 - Crypto and Privacy with Jon Callas

Podcast cover
Read more

In this episode...

  • Jon Callas gives a little of his background and his current role
  • We talk through why cryptography is so hard, and so broken today
  • Jon overviews compatibility, audit and making cryptography useful
  • Jon brings up open source, security, and why "open is more secure" is bunk
  • We talk through "barn builders" vs. "barn kickers" and why security isn't improving
  • We talk through how to do privacy, active vs. passive surveillance
  • We talk through anonymous VPN providers, anonymization services, and how they're legally bound
  • Jon talks about appropriate threat modeling and knowing what we're protecting
  • We talk through patching -- how to do patching for Joe Average User
  • Bonus-- Mobile is as secure (or more) than what we're used to on the desktop

Guest

  • Jon Callas ( @JonCallas ) - Jon Callas is an American computer security expert, software engineer, user experience designer, and technologist who is the co-founder and CTO of the global encrypted communications service Silent Circle. He has held major positions at Digital Equipment Corporation, Apple, PGP, and Entrust, and is considered “one of the most respected and well-known names in the mobile security industry.” Callas is credited with creating several Internet Engineering Task Force (IETF) standards, including OpenPGP, DKIM, and ZRTP, which he wrote. Prior to his work at Entrust, he was Chief Technical Officer and co-founder of PGP Corporation and the former Chief Technical Officer of Entrust.

Mar 30 2015

49mins

Play

Rank #7: DtR Episode 82 - Likely Threats [Guests: Lisa Leet, Russell Thomas, Bob Blakley]

Podcast cover
Read more

In this episode

  • Does is make sense, in a mathematical and practical senes, to look for 'probability of exploit'?
  • How does 'game theory' apply here?
  • How do intelligent adversaries figure into these mathematical models?
  • Is probabilistic risk analysis compatible with a game theory approach?
  • Discussing how adaptive adversaries figure into our mathematical models of predictability...
  • How do we use any of this to figure out path priorities in the enterprise space?
  • An interesting analogy to the credit scoring systems we all use today
  • An interesting discussion of 'unknowns' and 'black swans'
  • Fantastic *practical* advice for getting this data-science-backed analysis to work for YOUR organization

Guests

  • Lisa Leet - Lisa is a wife of 17 years, a mother of 5 years to boy/girl twins, and an employee of 7 years on the Information Security team at a Minneapolis-based financial services firm. She is also an intern at Stamford Risk Analytics (Stamford, CT), pursuing studies at Stanford University, prepping for her CISSP Exam on July 15th, taking MOOCs, and reading at least twelve books concurrently including a 1600-pager on Python. In her free time she volunteers on the Board of Directors for SIRA (Society of Information Risk Analysts) and participates in awesome podcasts like DtR.
  • Russell Thomas ( @MrMeritology ) - Russell is a Security Data Scientist in financial services, and a PhD student in Computational Social Sciences.  His focus is on the intersection of information security and business and economic decision making.  He’s “MrMeritology” on Twitter, and blogs at “Exploring Possibility Space” (http://exploringpossibilityspace.blogspot.com/).
  • Bob Blakley - Bob has been in the security industry for more than 35 years.  He's led the OMG CORBAsecurity, SAML, and OATH standardization efforts, and currently chairs the NSTIC Identity Ecosystem Steering Group.  He's in the drama department at a large multinational financial institution.

Mar 03 2014

43mins

Play

Rank #8: DtSR Episode 226 - Targeted Threats Facts From Fiction

Podcast cover
Read more

Welcome to the first Down the Security Rabbithole Podcast episode of 2017!

We would like to kick off this year, and the run to episode 250 with an episode that dissects the facts from the fiction on the topic of "Advanced Threats". With all the talk in the news about the Russians "hacking the US election" (yes, that's absolutely silly to call it that) and talk of retaliation, it's important to have a frank discussion on the merits of the concept of advanced threats.

Sit back, grab a coffee and listen. I know you'll want to listen to this one more than once!

If you have a moment, and you actually read the show notes, we would love it if you could give us a rating on iTunes or actually leave a comment on the podcast page. Get engaged on Twitter, using the hashtag #DtSR!

Guest Biography

Sergio Caltagirone hunts evil.  He spends his days hunting hackers and his evenings hunting human traffickers.  After 9 years with the US Government, over 3 years at Microsoft and now at Dragos, Sergio not only hunted the most sophisticated targeted hackers in the world but also applied that intelligence to protect billions of users worldwide and safeguarding civilization through the protection of critical infrastructure and industrial control systems.  He co-created the Diamond Model of Intrusion Analysis proudly helping thousands of others bring more pain to adversaries by strengthening hunters and intelligence analysts. He also proudly serves as the Technical Director of the Global Emancipation Network, a Non-Governmental Organization, leading a world-class all-volunteer team hunting human traffickers and finding their victims through data science and analytics working towards saving tens of millions of lives.

You can find Sergio on Twitter at @cnoanalysis

Links

Jan 03 2017

57mins

Play

Rank #9: DtR Episode 84 - Rise of the Security Machines [Guest: Alex Pinto]

Podcast cover
Read more

In this episode

  • what is the promise of automation, and where did we go wrong (or right?)
  • the problems with 'volume' (of logging) and the loss of expressiveness
  • a dive into 'exploratory based monitoring'
  • how does log-based data analysis scale?
  • baselines, and why 'anomaly detection' has failed us
  • does machine learning solve the 'hands on keyboard' (continuous tuning) problem with SIEM?
  • does today's 'threat intelligence' provide value, and is it really useful?
  • decrying the tools - and blaming the victims
  • what is machine learning good at, and what won't it be great at?
  • log everything!

Guest

  • Alex Pinto ( @alexcpsec ) - Alex has almost 15 years dedicated to Information Security solutions architecture, strategic advisory and security monitoring. He has been a speaker at major conferences such as BlackHat USA, DefCon, BSides Las Vegas and BayThreat.He has been researching and exploring the applications of machine learning and predictive analytics into information security data sources, such as logs and threat intelligence feeds.He launched MLSec Project (https://www.mlsecproject.org) in 2013 to develop and provide practical implementations of machine learning algorithms to support the information security monitoring practice. The goal is to use algoritmic automation to fight the challenges that we currently face in trying to make sense of day-to-day usage of SIEM solutions.

Mar 17 2014

48mins

Play

Rank #10: DtSR Episode 292 - Navigating Industry Conferences (RSA)

Podcast cover
Read more

This week, James is back and he and Raf sit down for a discussion on navigating the big industry conferences, as RSA Conference kicks off in San Francisco. We add just the right bit of snark to your day, and provide some much-needed commentary on the industry, conferences, and survival.

Highlights from this week's show include...

  • A quick overview of RSA Conference
  • Getting value, learning something, or whatever else
  • Buzzwords, and navigating marketing speak
  • Attendee personas: buyer, attendee, vendor - there is a huge difference in how you experience a conference from these angles
  • Feature, product, or startup (sometimes they're the same thing!)
  • Tips, tricks and ideas for having a successful experience

Apr 17 2018

42mins

Play

Rank #11: DtSR Episode 134 - Fundamental Security

Podcast cover
Read more

In this episode...

  • Michael C and the team talk bout "going back to basics" and the need for security fundamentals
  • Michael C talks a little about why we (security professionals) fail at fixing problems at scale
  • We dive into the need for automation, and Michael C talks about why creating more work for security professionals is a bad thing
  • Michael C and the crew talk through why many of our metrics fail, highlighting the need to get away from the typical dashboard approach of "bigger numbers is better"
  • We discuss the balance between false positives and false negatives -- a super critical topic
  • Rafal brings up the role security professionals play in software security, and why we can't be expected to drive the daily tasks
  • We talk through centralized vs. de-centralized security, and how to understand which works better, and where
  • Michael C gives us his 3 key take-aways for listeners (don't miss these!)
  • We talk through "assume breach", and what it means for security

Guest

  • Michael Coates ( @_mwc ) - Currently, Michael is the Trust and Security Officer at Twitter where he leads the information security team and drives overall security efforts across the organization to a common goal and objective. Michael is a staple of the OWASP community now serving on its board and having contributed countless hours and lines of code to the effort. 

Mar 16 2015

48mins

Play

Rank #12: DtSR Episode 265 - Privacy and Paranoia

Podcast cover
Read more

This week's Down the Security Rabbithole Podcast asks - "Are you paranoid enough about your privacy? or do you simply not have any?" with a couple of gentlemen who would know.

Join James and Raf as we go down the rabbit hole one more time, this time talking about the breadcrumbs, fingerprints, and digital privacy violations you voluntarily give up in your everyday life. It's a little scary, but the trade-off we make for the sake of convenience is very real.

Grab your tinfoil hat and your burner phone and enjoy!

Oct 10 2017

47mins

Play

Rank #13: DtR Episode 76 - Payment Industry Turmoil [Guests: Laura Claytor & Alfred Portengen]

Podcast cover
Read more

In this episode

  • Did the Target/Neiman/? breach finally create a catalyst for change?
  • The card system, payment processing infrastructure clearly wasn't designed with defensibility in mind ... who should be changing that?
  • Are today's fraud rates finally getting high enough such that card processors, issuers, banks need to depart from the status quo?
  • Are the days of "zero fraud liability" to the end consumer coming to an end?
  • What about chip & pin? Is the risk less?
  • What kinds of pains will the industry go through to make security on payment systems better?
  • How is the commercial payments industry different from the consumer?
  • Do end users of credit accounts ultimately care about breaches?

Guests

  • Laura Claytor ( @the.hgic ) - Laura is a security specialist and veteran within a large US-based banking organization, and is based in the southwest United States
  • Alfred Portengen - ( @alfredportengen ) - Alfred has a deep bredth of experience in architecture and security specialty within a multi-national banking organization, he is based in the Netherlands

Jan 20 2014

39mins

Play

Rank #14: DtSR Episode 159 - NewsCast for Sept 7th 2015

Podcast cover
Read more

In this episode

Sep 07 2015

44mins

Play

Rank #15: DtSR Episode 236 - Enterprise Architecture 2017

Podcast cover
Read more

Check out episode 236 with Marie-Michelle Strah who is a repeat offender here on the podcast with her first appearance back in 2014 on Episode 122 ( http://podcast.wh1t3rabbit.net/dtsr-episode-122-enterprise-architectures-role-in-security ).

This episode is a revisitation on Enterprise Architecture and it's importance to security with a perspective on enterprise tech stack, business segmentation and micro services in a modern distributed enterprise. Marie-Michelle's experience and extensive insight into the topic should give you something to think about as you go back to your day job in security.

Guest: Marie-Michelle Strah ( @CyberSlate ) - Marie-Michelle Strah. PhD is currently Senior Principal in the Enterprise Architecture Group at Infosys Ltd and based in New York City. A highly collaborative, diplomatic and inspiring thought leader Michelle is able to effectively drive business and technology strategy and business insights across corporate boundaries and departmental silos. A seasoned management and technology consultant, she specializes in strategy development, cloud transformation enterprise information modernization and innovation management efforts to drive global growth while minimizing cost and risk in complex organizations. She has PhD from Cornell University, was a Javits Fellow and is a US Army veteran. Connect with Michelle on Skype/Twitter/Instagram/Snapchat @cyberslate | http://cyberslate.me

Mar 14 2017

44mins

Play

Rank #16: DtSR Episode 276 - Game Changer in ICS (no FUD edition)

Podcast cover
Read more

What: In this episode we get the facts on the recent game-changing malware/attacks that appear to be nation-state sponsored attacking critical safety systems in industrial controls (ICS).

Why: You've probably read about it, and depending on what you read you may only have the hype or half the story.

Who: As always, Sergio Caltagirone from Dragos is the master at telling a great story, from just the facts. He's part of the team that did the analysis, wrote the narrative, and then ended up on countless phone calls explaining it to executives and national security types. He knows his craft.

Links:

We invited him on this special episode to give you the inside story, to separate some of the hyperbole from reality - so listen up.

Dec 26 2017

44mins

Play

Rank #17: DtSR Episode 351 - Deeper Into the Microsoft Security Ecosystem

Podcast cover
Read more

Thank you to Microsoft for sponsoring this show, and our podcast over the years...

Highlights from this week's show include...

  • Rob discusses what "Microsoft Threat Protection" is, isn't, and why it's relevant today
  • Rob gives us some context to "trillions of signals" - what does that mean?
  • Rob provides perspective on the pillars of operational excellence required to make Microsoft's vision a reality in damn-near-real-time
  • Rafal and Rob discuss what the ecosystem looks like, and how it's being released into production Rob answers whether Microsoft consumes its own tools… the answer may surprise you

Guest:

  • Rob Lefferts - @rob_lefferts -

    Microsoft Responsibilities/Contributions – As corporate vice president for M365 Security within Experiences and Devices, Rob Lefferts is responsible for ensuring that Microsoft 365 provides a comprehensive and cohesive security experience for our all of our customers. Prior to this role, he led the Windows Enterprise & Security team, where he was responsible for hardening the Windows platform, building intelligent security agents, and driving commercial adoption of Windows 10. Since joining Microsoft in 1997, Lefferts has been instrumental in shaping key products and technologies, from helping develop the original SharePoint Portal Server to leading extensibility efforts for the Office platform to championing the vision for Microsoft 365. 

    Pre-Microsoft Work Experience – Rob began his career at Claritech, a startup that was born from a Carnegie Mellon research project. He then consulted with the Government of Namibia, Africa.

    Education – He earned a bachelor’s degree in logic and computation, as well as a master’s degree in computation linguistics, from Carnegie Mellon University.

    Family/Other Interests – Rob and his wife have two children and live in the Seattle area.

Jun 19 2019

38mins

Play

Rank #18: DtR Episode 79 - NewsCast for February 10th, 2014

Podcast cover
Read more

Topics covered

Feb 10 2014

38mins

Play

Rank #19: DtSR Episode 267 - Cyber Security Awareness Month Wrap

Podcast cover
Read more

This week, James and Raf cover the tail-end of Cyber Security Awareness Month. It's been an interesting week of news and of course let's talk about awareness.

Have you completed your mandatory training?

-- This weeks' talking points

Namaste Health Care security incident, announcement

DHS Imposes DMARC on Federal Agencies

Cyber Security Awareness Training

  • Are we over it yet?
  • Raf says he's always late, and it's always the same thing... does it work?
  • What are some better alternatives? (there have to be better)
  • Does your job offer/mandate awareness training? Does it WORK?!
    • How would you even know??

Oct 24 2017

36mins

Play

Rank #20: DtSR Episode 355 - Threat Modeling Rides Again

Podcast cover
Read more

My dear listeners - we have John Steven back on this episode! If you don't remember his first appearance, it's OK, it was a little while ago back on episode 42 ... http://podcast.wh1t3rabbit.net/dt-r-episode-42-threat-modeling so it's been a while!

Highlights from this week's show include...

  • John gives us a run-down on the new things since the last episode
  • James & John talk OWASP Top 10
  • The guys try to understand what happened to Threat Modeling, and security overall, over the last decade
  • So much more, you'll have to listen

Jul 23 2019

49mins

Play