Rank #1: DtSR Episode 288 - Experienced Opinions
This week, while James was out on family duty, I sat down on a Saturday morning with my good friend Will Gragido to talk security. Will is an industry old-timer (sorry buddy, we're old) and has some seriously valid opinions on many things. We discuss some interesting topics, and apologize for nothing.
Highlights from this week's show include...
- It's conference season again... and time for more buzzword bingo
- Marketing people are the worst...except we're all complicit
- Threat Intelligence. Again. Still. Yep.
- Let's go hunting for threats - who should have a threat hunt team, and why
- Mergers, acquisitions, and the future of our industry
- Will Gragido ( @WGragido ) - Will Gragido is a seasoned security professional with over 20 years’ experience in networking and information security. Will’s extensive background is the result of his service as a United States Marine, a consultant with the world renowned International Network Services, Internet Security Systems (now IBM ISS), McAfee, Damballa, Cassandra Security, RSA Netwitness, Carbon Black, Digital Shadows and now Digital Guardian where he leads the organization’s Advanced Threat Protection Product Line as its Director.
Mar 20 2018
Rank #2: DtR Episode 104 - JW Goerlich - Security Leaders Series
In this episode
- Who is J.W. Goerlich (redux from episode -
- How did he get to where he is now?
- How does the security executive deal with the "moving finish line"?
- JW discusses how 'security' people can break down barriers between "us" and "them"
- We discuss why we still fail at the basics, and what all this means...
- JWG tries to talk about his favorite controls framework
- We discuss what difference it makes where the CISO reports in the enterprise
- What will the CISO be, or need to do, in ~3-5 years?
- We discuss hiring into InfoSec - from outside, or within ... and why?
- JW gives us the one thing you need to remember
- J.W. Goerlich ( @jwgoerlich ) - Results-driven IT management executive with a track record of building high performance teams and providing flawless execution. Leverages background in systems engineering, software development, and information security expertise to consistently lower operating costs and raise service levels. Designs solutions that support long-term strategic planning and create immediate impact throughout product lifecycle in process and efficiency gains.
Aug 04 2014
Rank #3: DtSR Episode 234 - Straight Talk on National Security
This week, the interview is extra special because we have a guest I've personally been following for a long while, and I finally got a chance to virtually sit down and talk through his considerable areas of expertise.
I'm pleasured to say we had a chance to sit down virtually with Professor Tom Nichols and talk international affairs, foreign policy and all the important things getting lost in the off-color political arguments lately. These are important issues to cyber security professionals that impact our daily lives - but rarely get discussed by someone with actual, credentialed expertise.
Enjoy this one, friends, I know we did recording it. I want to thank Tom for being an awesome guest and lending his time to our show.
If you want to read Tom's latest book, you can get it on Amazon, link HERE.
- Tom Nichols ( @RadioFreeTom ):
Dr. Thomas M. Nichols is a Professor in the Department of National Security Affairs at the U.S. Naval War College and at the Harvard Extension School, where he worked with the U.S. Air Force to create the program for the Certificate in Nuclear Deterrence Studies. He is a former Secretary of the Navy Fellow, and held the Naval War College's Forrest Sherman Chair of Public Diplomacy. Dr. Nichols was previously the chairman of the Strategy and Policy Department at the Naval War College. Before coming to Newport, he taught international relations and Soviet/Russian affairs at Dartmouth College and Georgetown University.
Dr. Nichols was personal staff for defense and security affairs in the United States Senate to the late Sen. John Heinz of Pennsylvania, and was a Fellow at the Center for Strategic and International Studies in Washington, DC. He is currently a Senior Associate of the Carnegie Council on Ethics and International Affairs in New York City. He was recently a Fellow in the International Security Program at the John F. Kennedy School at Harvard University.
He is the author of several books and articles, including Eve of Destruction: The Coming of Age of Preventive War (University of Pennsylvania Press, 2008), and No Use: Nuclear Weapons and U.S. National Security (University of Pennsylvania, 2014). His most recent book, The Death of Expertise: The Campaign Against Established Knowledge and Why It Matters was released by Oxford in 2017.
Dr. Nichols holds a PhD from Georgetown, an MA from Columbia University, the Certificate of the Harriman Institute for Advanced Study of the Soviet Union at Columbia, and a BA from Boston University.
Mar 01 2017
Rank #4: DtR Episode 80 - Lies, Damned Lies, and #InfoSec Statistics [Guests: Jay Jacobs, Bob Rudis]
In this episode
- Jay and Bob talk about their new book
- A discussion on using data as 'supporting evidence' rather than gut feelings
- Do we have actuarial quality data to answer key security questions?
- A discussion on "asking the right question", and why it's THE single most important thing to do
- Bob attempts to ask security professionals to use data we already have, to be data-driven
- Jay tells us why he wouldn't consider "SQL Injection" a "HIGH" risk ranking - and why data challenges what you THINK you know
- Quick shout out to Allison Miller on finding the little needles in the big, big haystack
- We think about why security as an industry needs to start looking outside of itself to get its data - now
- Jay discusses how there is a definite skills shortage in working with large data sets, and doing analysis
- I ask whether there is a chicken and egg problem in large-scale data analysis
- Bob brings up the "kill chain" and whether we really need real-time data analysis for attacks
- Bob makes a pitch for having a "Cyber CDC" ... stop laughing
- Jay laments the absolute bonkers problems dealing with information sharing (when you don't have any to share)
- Jay urges you to "count and compare"
Feb 17 2014
Rank #5: DtSR Episode 271 - The Secrets of Influence Through Communication
This week James and I are fortunate enough to have one of the best keynote speakers I've ever seen on the show. He's an amazing speaker, a brilliant magician and a sharp dresser - this guy is the real deal.
Straight off the keynote stage at the Security Advisor Alliance (SAA) Summit in Denver ... ok maybe not straight off, Vinh Giang joins us to talk about how to influence people while you're up there giving a talk or speech.
Grab something to take notes with - trust me, this one is chock full of brilliant nuggets.
Nov 21 2017
Rank #6: DtSR Episode 136 - Crypto and Privacy with Jon Callas
In this episode...
- Jon Callas gives a little of his background and his current role
- We talk through why cryptography is so hard, and so broken today
- Jon overviews compatibility, audit and making cryptography useful
- Jon brings up open source, security, and why "open is more secure" is bunk
- We talk through "barn builders" vs. "barn kickers" and why security isn't improving
- We talk through how to do privacy, active vs. passive surveillance
- We talk through anonymous VPN providers, anonymization services, and how they're legally bound
- Jon talks about appropriate threat modeling and knowing what we're protecting
- We talk through patching -- how to do patching for Joe Average User
- Bonus-- Mobile is as secure (or more) than what we're used to on the desktop
- Jon Callas ( @JonCallas ) - Jon Callas is an American computer security expert, software engineer, user experience designer, and technologist who is the co-founder and CTO of the global encrypted communications service Silent Circle. He has held major positions at Digital Equipment Corporation, Apple, PGP, and Entrust, and is considered “one of the most respected and well-known names in the mobile security industry.” Callas is credited with creating several Internet Engineering Task Force (IETF) standards, including OpenPGP, DKIM, and ZRTP, which he wrote. Prior to his work at Entrust, he was Chief Technical Officer and co-founder of PGP Corporation and the former Chief Technical Officer of Entrust.
Mar 30 2015
Rank #7: DtR Episode 82 - Likely Threats [Guests: Lisa Leet, Russell Thomas, Bob Blakley]
In this episode
- Does is make sense, in a mathematical and practical senes, to look for 'probability of exploit'?
- How does 'game theory' apply here?
- How do intelligent adversaries figure into these mathematical models?
- Is probabilistic risk analysis compatible with a game theory approach?
- Discussing how adaptive adversaries figure into our mathematical models of predictability...
- How do we use any of this to figure out path priorities in the enterprise space?
- An interesting analogy to the credit scoring systems we all use today
- An interesting discussion of 'unknowns' and 'black swans'
- Fantastic *practical* advice for getting this data-science-backed analysis to work for YOUR organization
- Lisa Leet - Lisa is a wife of 17 years, a mother of 5 years to boy/girl twins, and an employee of 7 years on the Information Security team at a Minneapolis-based financial services firm. She is also an intern at Stamford Risk Analytics (Stamford, CT), pursuing studies at Stanford University, prepping for her CISSP Exam on July 15th, taking MOOCs, and reading at least twelve books concurrently including a 1600-pager on Python. In her free time she volunteers on the Board of Directors for SIRA (Society of Information Risk Analysts) and participates in awesome podcasts like DtR.
- Russell Thomas ( @MrMeritology ) - Russell is a Security Data Scientist in financial services, and a PhD student in Computational Social Sciences. His focus is on the intersection of information security and business and economic decision making. He’s “MrMeritology” on Twitter, and blogs at “Exploring Possibility Space” (http://exploringpossibilityspace.blogspot.com/).
- Bob Blakley - Bob has been in the security industry for more than 35 years. He's led the OMG CORBAsecurity, SAML, and OATH standardization efforts, and currently chairs the NSTIC Identity Ecosystem Steering Group. He's in the drama department at a large multinational financial institution.
Mar 03 2014
Rank #8: DtSR Episode 226 - Targeted Threats Facts From Fiction
Welcome to the first Down the Security Rabbithole Podcast episode of 2017!
We would like to kick off this year, and the run to episode 250 with an episode that dissects the facts from the fiction on the topic of "Advanced Threats". With all the talk in the news about the Russians "hacking the US election" (yes, that's absolutely silly to call it that) and talk of retaliation, it's important to have a frank discussion on the merits of the concept of advanced threats.
Sit back, grab a coffee and listen. I know you'll want to listen to this one more than once!
If you have a moment, and you actually read the show notes, we would love it if you could give us a rating on iTunes or actually leave a comment on the podcast page. Get engaged on Twitter, using the hashtag #DtSR!
Sergio Caltagirone hunts evil. He spends his days hunting hackers and his evenings hunting human traffickers. After 9 years with the US Government, over 3 years at Microsoft and now at Dragos, Sergio not only hunted the most sophisticated targeted hackers in the world but also applied that intelligence to protect billions of users worldwide and safeguarding civilization through the protection of critical infrastructure and industrial control systems. He co-created the Diamond Model of Intrusion Analysis proudly helping thousands of others bring more pain to adversaries by strengthening hunters and intelligence analysts. He also proudly serves as the Technical Director of the Global Emancipation Network, a Non-Governmental Organization, leading a world-class all-volunteer team hunting human traffickers and finding their victims through data science and analytics working towards saving tens of millions of lives.
You can find Sergio on Twitter at @cnoanalysis
Jan 03 2017
Rank #9: DtR Episode 84 - Rise of the Security Machines [Guest: Alex Pinto]
In this episode
- what is the promise of automation, and where did we go wrong (or right?)
- the problems with 'volume' (of logging) and the loss of expressiveness
- a dive into 'exploratory based monitoring'
- how does log-based data analysis scale?
- baselines, and why 'anomaly detection' has failed us
- does machine learning solve the 'hands on keyboard' (continuous tuning) problem with SIEM?
- does today's 'threat intelligence' provide value, and is it really useful?
- decrying the tools - and blaming the victims
- what is machine learning good at, and what won't it be great at?
- log everything!
- Alex Pinto ( @alexcpsec ) - Alex has almost 15 years dedicated to Information Security solutions architecture, strategic advisory and security monitoring. He has been a speaker at major conferences such as BlackHat USA, DefCon, BSides Las Vegas and BayThreat.He has been researching and exploring the applications of machine learning and predictive analytics into information security data sources, such as logs and threat intelligence feeds.He launched MLSec Project (https://www.mlsecproject.org) in 2013 to develop and provide practical implementations of machine learning algorithms to support the information security monitoring practice. The goal is to use algoritmic automation to fight the challenges that we currently face in trying to make sense of day-to-day usage of SIEM solutions.
Mar 17 2014
Rank #10: DtSR Episode 292 - Navigating Industry Conferences (RSA)
This week, James is back and he and Raf sit down for a discussion on navigating the big industry conferences, as RSA Conference kicks off in San Francisco. We add just the right bit of snark to your day, and provide some much-needed commentary on the industry, conferences, and survival.
Highlights from this week's show include...
- A quick overview of RSA Conference
- Getting value, learning something, or whatever else
- Buzzwords, and navigating marketing speak
- Attendee personas: buyer, attendee, vendor - there is a huge difference in how you experience a conference from these angles
- Feature, product, or startup (sometimes they're the same thing!)
- Tips, tricks and ideas for having a successful experience
Apr 17 2018
Rank #11: DtSR Episode 134 - Fundamental Security
In this episode...
- Michael C and the team talk bout "going back to basics" and the need for security fundamentals
- Michael C talks a little about why we (security professionals) fail at fixing problems at scale
- We dive into the need for automation, and Michael C talks about why creating more work for security professionals is a bad thing
- Michael C and the crew talk through why many of our metrics fail, highlighting the need to get away from the typical dashboard approach of "bigger numbers is better"
- We discuss the balance between false positives and false negatives -- a super critical topic
- Rafal brings up the role security professionals play in software security, and why we can't be expected to drive the daily tasks
- We talk through centralized vs. de-centralized security, and how to understand which works better, and where
- Michael C gives us his 3 key take-aways for listeners (don't miss these!)
- We talk through "assume breach", and what it means for security
- Michael Coates ( @_mwc ) - Currently, Michael is the Trust and Security Officer at Twitter where he leads the information security team and drives overall security efforts across the organization to a common goal and objective. Michael is a staple of the OWASP community now serving on its board and having contributed countless hours and lines of code to the effort.
Mar 16 2015
Rank #12: DtSR Episode 265 - Privacy and Paranoia
This week's Down the Security Rabbithole Podcast asks - "Are you paranoid enough about your privacy? or do you simply not have any?" with a couple of gentlemen who would know.
Join James and Raf as we go down the rabbit hole one more time, this time talking about the breadcrumbs, fingerprints, and digital privacy violations you voluntarily give up in your everyday life. It's a little scary, but the trade-off we make for the sake of convenience is very real.
Grab your tinfoil hat and your burner phone and enjoy!
Oct 10 2017
Rank #13: DtR Episode 76 - Payment Industry Turmoil [Guests: Laura Claytor & Alfred Portengen]
In this episode
- Did the Target/Neiman/? breach finally create a catalyst for change?
- The card system, payment processing infrastructure clearly wasn't designed with defensibility in mind ... who should be changing that?
- Are today's fraud rates finally getting high enough such that card processors, issuers, banks need to depart from the status quo?
- Are the days of "zero fraud liability" to the end consumer coming to an end?
- What about chip & pin? Is the risk less?
- What kinds of pains will the industry go through to make security on payment systems better?
- How is the commercial payments industry different from the consumer?
- Do end users of credit accounts ultimately care about breaches?
- Laura Claytor ( @the.hgic ) - Laura is a security specialist and veteran within a large US-based banking organization, and is based in the southwest United States
- Alfred Portengen - ( @alfredportengen ) - Alfred has a deep bredth of experience in architecture and security specialty within a multi-national banking organization, he is based in the Netherlands
Jan 20 2014
Rank #14: DtSR Episode 159 - NewsCast for Sept 7th 2015
In this episode
- Court strikes down Wyndham's challenge to FTC power
- We have covered this before
- Wyndham argued due proces and lack of case law - asked for dismissal
- Court said no dismissal, FTC has standing
- FTC is arguing that Wyndham made promises it did not keep
- Should be interesting to watch this go to court (or likely not)
- Ashley Madison hauled into court by class-action suit
- Lots of thorny issues here, must separate out moral from legal
- Shines light on the continued bias for breach prevention
- Interesting Streisand effect here
- Verizon launches Hum OBD port vehicle monitor and communication tool
- In light of the stunt-hacking against Chrysler/Jeep is Verizon tone deaf?
- ..or are they simply that confident in their security?
- There is no mention, by the way, of security of the device on the web site
- The move to EMV cards (chip & sign) in America is changing how fraud happens
- EMV cards cost a fortune to implement
- Solving a problem the finance industry did not have
Sep 07 2015
Rank #15: DtSR Episode 236 - Enterprise Architecture 2017
Check out episode 236 with Marie-Michelle Strah who is a repeat offender here on the podcast with her first appearance back in 2014 on Episode 122 ( http://podcast.wh1t3rabbit.net/dtsr-episode-122-enterprise-architectures-role-in-security ).
This episode is a revisitation on Enterprise Architecture and it's importance to security with a perspective on enterprise tech stack, business segmentation and micro services in a modern distributed enterprise. Marie-Michelle's experience and extensive insight into the topic should give you something to think about as you go back to your day job in security.
Guest: Marie-Michelle Strah ( @CyberSlate ) - Marie-Michelle Strah. PhD is currently Senior Principal in the Enterprise Architecture Group at Infosys Ltd and based in New York City. A highly collaborative, diplomatic and inspiring thought leader Michelle is able to effectively drive business and technology strategy and business insights across corporate boundaries and departmental silos. A seasoned management and technology consultant, she specializes in strategy development, cloud transformation enterprise information modernization and innovation management efforts to drive global growth while minimizing cost and risk in complex organizations. She has PhD from Cornell University, was a Javits Fellow and is a US Army veteran. Connect with Michelle on Skype/Twitter/Instagram/Snapchat @cyberslate | http://cyberslate.me
Mar 14 2017
Rank #16: DtSR Episode 276 - Game Changer in ICS (no FUD edition)
What: In this episode we get the facts on the recent game-changing malware/attacks that appear to be nation-state sponsored attacking critical safety systems in industrial controls (ICS).
Why: You've probably read about it, and depending on what you read you may only have the hype or half the story.
Who: As always, Sergio Caltagirone from Dragos is the master at telling a great story, from just the facts. He's part of the team that did the analysis, wrote the narrative, and then ended up on countless phone calls explaining it to executives and national security types. He knows his craft.
- Dragos blog about the topic: https://dragos.com/blog/trisis/
- Fireeye's version: https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html
We invited him on this special episode to give you the inside story, to separate some of the hyperbole from reality - so listen up.
Dec 26 2017
Rank #17: DtSR Episode 351 - Deeper Into the Microsoft Security Ecosystem
Thank you to Microsoft for sponsoring this show, and our podcast over the years...
Highlights from this week's show include...
- Rob discusses what "Microsoft Threat Protection" is, isn't, and why it's relevant today
- Rob gives us some context to "trillions of signals" - what does that mean?
- Rob provides perspective on the pillars of operational excellence required to make Microsoft's vision a reality in damn-near-real-time
- Rafal and Rob discuss what the ecosystem looks like, and how it's being released into production Rob answers whether Microsoft consumes its own tools… the answer may surprise you
- Rob Lefferts - @rob_lefferts -
Microsoft Responsibilities/Contributions – As corporate vice president for M365 Security within Experiences and Devices, Rob Lefferts is responsible for ensuring that Microsoft 365 provides a comprehensive and cohesive security experience for our all of our customers. Prior to this role, he led the Windows Enterprise & Security team, where he was responsible for hardening the Windows platform, building intelligent security agents, and driving commercial adoption of Windows 10. Since joining Microsoft in 1997, Lefferts has been instrumental in shaping key products and technologies, from helping develop the original SharePoint Portal Server to leading extensibility efforts for the Office platform to championing the vision for Microsoft 365.
Pre-Microsoft Work Experience – Rob began his career at Claritech, a startup that was born from a Carnegie Mellon research project. He then consulted with the Government of Namibia, Africa.
Education – He earned a bachelor’s degree in logic and computation, as well as a master’s degree in computation linguistics, from Carnegie Mellon University.
Family/Other Interests – Rob and his wife have two children and live in the Seattle area.
Jun 19 2019
Rank #18: DtR Episode 79 - NewsCast for February 10th, 2014
- In the wake of the Target & Nieman Marcus breaches - is chip+pin really a priority right now, and does it solve the real problem? - http://blogs.csoonline.com/security-leadership/2977/does-chip-and-pin-actually-solve-problem-find-out-asking-these-questions
- Speaking of Target ... it turns out that 3rd parties really are a problem and still a blind spot in many organizations' risk matrices, who knew - http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/
- Apparently NBC News doesn't believe it's stretching the news at all, when it virtually makes up a story then gets called out by Robert Graham, hilarity ensues - http://news.cnet.com/8301-1009_3-57618533-83/sochi-hack-report-fraudulent-security-researcher-charges/
- Something bad, very, very bad just happened over at Barclays in the UK ... although jury seems to still be out on what exactly is going on; you can bet we're going to keep an eye on this - http://www.theregister.co.uk/2014/02/10/barclays_investigates_gold_mine_client_data_breach/
- In a "You can't make this stuff up, folks" moment, the FBI is asking for malware and they're willing to pay for it; and they'll send you all the info in a .docx file?! - http://www.nextgov.com/cybersecurity/cybersecurity-report/2014/02/fbi-market-malware/78218/
- Is your next new vehicle going to be part of the mesh-network which keeps cars from crashing into each other? It will if the government has it's ways - complete with wildly-made-up-sounding statistics and ridiculous news story and all (somewhere, Flo from Progressive is mad they stole her schtick)- http://www.usatoday.com/story/money/cars/2014/02/03/nhtsa-vehicle-to-vehicle-communication/5184773/
Feb 10 2014
Rank #19: DtSR Episode 267 - Cyber Security Awareness Month Wrap
This week, James and Raf cover the tail-end of Cyber Security Awareness Month. It's been an interesting week of news and of course let's talk about awareness.
Have you completed your mandatory training?
-- This weeks' talking points
Namaste Health Care security incident, announcement
- Pay attention to how this article is worded, we've covered this before with Sean and Michael too
- When you don't know, you have to report the worst-case
- Focuses spotlight on knowing what's in your environment, and having a plan for not only technical IR but communications
- How would your organization report? Are you ready to be better?
DHS Imposes DMARC on Federal Agencies
- Any time we can add to the security measures over email, bonus
- We already know email is the #1 way bad things get disseminated
- This is not set-and-forget, you need to make sure it's working!
Cyber Security Awareness Training
- Are we over it yet?
- Raf says he's always late, and it's always the same thing... does it work?
- What are some better alternatives? (there have to be better)
- Does your job offer/mandate awareness training? Does it WORK?!
- How would you even know??
Oct 24 2017
Rank #20: DtSR Episode 355 - Threat Modeling Rides Again
My dear listeners - we have John Steven back on this episode! If you don't remember his first appearance, it's OK, it was a little while ago back on episode 42 ... http://podcast.wh1t3rabbit.net/dt-r-episode-42-threat-modeling so it's been a while!
Highlights from this week's show include...
- John gives us a run-down on the new things since the last episode
- James & John talk OWASP Top 10
- The guys try to understand what happened to Threat Modeling, and security overall, over the last decade
- So much more, you'll have to listen
Jul 23 2019