Cover image of Cyber Security Dispatch
(7)
Business
Technology
Podcasting
Tech News

Cyber Security Dispatch

Updated about 1 month ago

Business
Technology
Podcasting
Tech News
Read more

Cyber Security Dispatch brings you to the front lines of cyber security. In our podcast we interview leading experts and practitioners who are fighting attacks, securing systems, and exploring the cutting edge of cyber security and cyber warfare.

Read more

Cyber Security Dispatch brings you to the front lines of cyber security. In our podcast we interview leading experts and practitioners who are fighting attacks, securing systems, and exploring the cutting edge of cyber security and cyber warfare.

iTunes Ratings

7 Ratings
Average Ratings
7
0
0
0
0

Suprisingly good.

By ChrisDiL - Mar 19 2018
Read more
The background noise a few episodes was a bit off putting but then I realized it was recorded live at a conference. I guess that comes with the territory of interviewing interesting people. And it really wasn't that bad. By the way, did I mention how the people being interviewed are interesting? And the topics are interesting? And Andy is great in really getting people to talk about what they know, and just let's them talk. My final thing is that there is no super long intro/outro which is much appreciated. If the episode is 29 minutes you are basically getting 28 minutes of quality interview and 1 minute of chit-chat. Highly recommended. (at least the episodes i've listened to so far). Hopefully it gets even better from here.

Cool interviews

By nyc cyberguy - Mar 01 2018
Read more
Really interesting viewpoint on cyber security space

iTunes Ratings

7 Ratings
Average Ratings
7
0
0
0
0

Suprisingly good.

By ChrisDiL - Mar 19 2018
Read more
The background noise a few episodes was a bit off putting but then I realized it was recorded live at a conference. I guess that comes with the territory of interviewing interesting people. And it really wasn't that bad. By the way, did I mention how the people being interviewed are interesting? And the topics are interesting? And Andy is great in really getting people to talk about what they know, and just let's them talk. My final thing is that there is no super long intro/outro which is much appreciated. If the episode is 29 minutes you are basically getting 28 minutes of quality interview and 1 minute of chit-chat. Highly recommended. (at least the episodes i've listened to so far). Hopefully it gets even better from here.

Cool interviews

By nyc cyberguy - Mar 01 2018
Read more
Really interesting viewpoint on cyber security space
Cover image of Cyber Security Dispatch

Cyber Security Dispatch

Updated about 1 month ago

Read more

Cyber Security Dispatch brings you to the front lines of cyber security. In our podcast we interview leading experts and practitioners who are fighting attacks, securing systems, and exploring the cutting edge of cyber security and cyber warfare.

Rank #1: Security in the Cloud - An Interview with Ratinder Ahuja, CEO of ShieldX

Podcast cover
Read more

Key Points From This Episode:
The beginnings of ShieldX and the time leading up to this.
The arrival of the cloud and the effect of ‘east-west’ security.
Implications for the lack of orchestration for traditional systems.
Reducing the total cost of ownership in addressing these scenarios.
Transferring the security of on-premise systems to the larger, cloud scale.
The logistics of migrating your security to any of the large cloud services.
The futility of an agent based approach to cloud security.
Compatibility and the platforms with which ShieldX corresponds.
Customer experience and how the service has been most widely utilized.
The three dimensional problem that ShieldX solves and secures.
Some information on ShieldX’s investors.
And much more!

Jun 04 2018
32 mins
Play

Rank #2: Focusing on What Matters an Interview with Justin Berman CISO of Zenefits

Podcast cover
Read more

Key Points From This Episode:
Justin’s studies, consulting work and path to his current role at Zenefits.
Calculating risk return for defense and attack and how Justin approaches this.
Why better general security at other companies benefits everyone.
Justin’s approach to defending against advanced persistent threats.
Why security needs to talk more about the less sexy sides of their work.
The hottest new strategies and technologies according to Justin.
The role and appropriate time for automation within a security protocol.
Zenefits' ambition for their security and how far this extends.
The role of CISOs in the conversation about security within a company.
Cultural change at companies and how this leads to sustainable security.
The difficulty in hiring currently within the security sector.
And much more!
Links Mentioned in Today’s Episode:
Justin Berman Website — http://www.justinbermanphotography.com/
Justin Berman on Linkedin — https://www.linkedin.com/in/jmberman
Justin Berman on Twitter — https://twitter.com/justinmberman?lang=en
Zenefits — https://www.zenefits.com/
FS ISAC — https://www.fsisac.com/
Phantom — https://www.phantom.us/
Equifax — https://techcrunch.com/tag/equifax-hack/

Mar 05 2018
34 mins
Play

Rank #3: Keeping the Lights On - An Interview with Arthur House, Chief Risk Officer for The State of Connecticut.

Podcast cover
Read more

Key Points From This Episode:
Arthur’s background in International Relations and role in the Obama administration.
The new challenge that cyber security poses to the state commission.
Highlights from the important process of Connecticut cyber security report.
The meetings that followed this report process and what contributed to its success.
Differences between public utilities and the general business sector.
Responding to the ongoing and evolving challenge of cyber crime.
The idea of cyber resilience replacing that of security.
Better communication and cooperation across the board to aid this issue.
Responding the potential foreign threat and timely recovery to these.
And much more!

Links Mentioned in Today’s Episode:
Arthur House — https://csi.uconn.edu/cyberseed-speakers- 2017/arthur-house/
Connecticut Cyber Security Report — http://portal.ct.gov/Office-of- the-Governor/Press-
Room/Press-Releases/2017/07- 2017/Gov-Malloy- Releases-Cybersecurity- Strategy-for-
Connecticut
C2M2 — https://www.energy.gov/oe/cybersecurity-critical- energy-infrastructure/cybersecurity-
capability-maturity- model-c2m2- program
Eversource — https://www.eversource.com/content/
Avangrid — https://www.avangrid.com
Connecticut Water — https://www.ctwater.com/
Aquarion — http://www.aquarion.com/CT/
Dr. Ron Ross — https://www.nist.gov/people/ronald-s- ross
NIST — https://www.nist.gov/
Belfer Center — https://www.belfercenter.org/

May 07 2018
38 mins
Play

Rank #4: Hacking The Pentagon - An Interview with Lisa Wiswell of Grimm & HackerOne

Podcast cover
Read more

Key Points From This Episode:
Discover how Lisa entered the field of cyber security.
How Lisa came to work as a “bureaucracy hacker” at the Pentagon.
Learn more about the aims and direction of the DARPA program.
Lisa shares more about DARPA’s flagship program titled PlanX.
Find out more about the intricate links between Cybercom and the NSA.
Hear what Lisa believes is the problem with standards and compliance.
How to ensure mature cyber security ecosystems today? Lisa’s thoughts.
Hacking the Pentagon: How, why, when did this happen? Because it did.
Also, hacking the defense travel system, the Army and Air Force (twice).
How Hacking the Pentagon saved over a million dollars in defense.
The effects of the demonization of hackers in popular media today.
Why you cannot tell the world you are secure if you aren’t!
How Hack the Pentagon created a culture shift in security practices.
Lisa shares her view on vulnerability disclosure and policy.
See something, say something: The importance of reporting vulnerabilities.
And much more!

May 15 2018
37 mins
Play

Rank #5: Privacy Within the Digital Ecosystem - An Interview with Pam Dixon of World Privacy Forum

Podcast cover
Read more

Key Points From This Episode:
The current privacy landscape and an introduction to GDPR.
Unpacking GDPR and what it will mean.
The future of terms, conditions and consent forms.
Locating the issue of privacy within a larger context of human rights.
The privacy issue and the distance it has to go to catch up with other social concerns.
The role of industry in the progress of the privacy issue.
Imagining an affirmative, multifaceted approach towards privacy.
Privacy’s relationship to identity and data.
The evolution of the rules of the privacy game.
The important decision we all have to make with regards to privacy.
And much more!

Jun 12 2018
25 mins
Play

Rank #6: Air Gaps Are Like Unicorns - An Interview With Galina Antova

Podcast cover
Read more

Introduction:

Welcome to another edition of cyber security dispatch. This is your host Andy Anderson. In this episode, Air Gaps Are Like Unicorns, we talk with Galina Antova. One of the co-founders of Claroty, a fast growing security startup in the world of industrial control systems. She shares her experience working to protect these critical systems and the journey that led her to found Claroty.

Transcript:

Andy Anderson: Everybody sort of ends up in cyber security in kind of a unique way. Like I don't think there is a single kid who grows up being like, "I want to be a cyber security expert." What was your path into this biz?

Galina Antova:  You're absolutely right, it was kind of like by accident to me. I started my career with IBM. So  just the whole software development, security topic was fascinating. When I came across the industrial domain, it was basically the intersection of  the stuff that runs the world and cyber security. And so I just became fascinated by that topic. And this is how I ended up just getting into it more and more, and eventually co-founding Claroty.

AA: So Claroty has sort of established itself as sort of a thought leader and sort of a category creator in this industrial control systems and SCADA systems. For somebody who is as immersed in that world, what's sort of happening there for people who, if they haven't been reading all of the hacker news?

GA:  Well I think that what happened over the last few years really allowed for the industry to become a real market opportunity. The thing that is not new and that is not easy to change is the security posture of those industrial control system environments. So, in the office environment, we're used to kind of changing our laptops every couple of years. You can't really do that in the industrial control system environment.

The lifecycle of those machines is 35, sometimes 40 years, and so we can't just rip and replace. So, you've got to work with existing infrastructure that, when that infrastructure was designed, security wasn't really an key requirement. That hasn't changed and that's kind of like the one of the sources of the problem.

What has changed rapidly over the last few years is actually how interconnected those systems are. When the first POCs were designed, they weren't actually meant to be connected to non-control networks. So the fact that we've got everything on networks now means that everything is interconnected so therefore, no “air gaps.” So you've got to find a way of actually monitoring that environment.

The third thing that has also changed significantly in the last couple of years, is that in terms of the threat landscape, first of all, I think a lot of folks have realized that those networks are critical; they are more valuable. Downtime can cost millions and an attack can damage expensive equipment or harm people.  Once an attacker actually gets into the OT networks, from there on, they don't really need to exploit new or know vulnerabilities to cause damage. They can simply send legitimate commands, just leveraging the existing infrastructure and the existing commands to make changes to the process that can be catastrophic.

So the threat landscape, together with “insecure by design” industrial control systems, is what is actually creating the opportunity.

AA: Yeah, the sort of ability to really to cause physical harm is literally -

GA:  Exactly. The impact is completely different than that in the IT domain.

AA: Yeah, and to sort of looking at the backdrop against the security, which you're looking to improve, obviously if you've been in this space you've heard of Stuxnet; maybe you heard about kind of what was happening in Saudi Arabia, where things were happening with Saudi Aramco; maybe some of the other stuff that happened with WannaCry. For someone who is just coming to this space, how do you see this increase of threat level, particularly like the involvement ... Attribution is always hard but potentially nation states fall apart.

GA:  No, I'm not going to talk about attribution, because nowadays it is almost impossible to do. There are so many sophisticated ways in which you can do a false flag, so I'll leave that for other hosts to discuss. But really at the core of the issue is the fact that those networks are really, really, really valuable. Valuable in many different ways. Valuable because they could be used to cause physical damage; valuable because in many cases they actually hold some of the IP of those companies, for example the way a chemical company produces things.

So from that perspective, people will be people. I mean bad people will have interest in attacking industrial networks. Now it doesn't necessarily have to be a nation-state. There is “weaponized” malware available in the wild, so think of terrorists, think of all kinds of crazy people with agendas. I think what was proven over the last few years, starting with Stuxnet, is that it is possible to manipulate those networks. For many of those large companies, that had been the wake-up call, that industrial control systems could actually be manipulated so that it broke the process or equipment or could harm people.

AA: And when you think about essentially the security that you're layering on to their systems, is it in many cases just sort of a mirroring of what has happened on the more traditional IT systems? Like are you essentially just taking those models and those processes and those tools and essentially adapting them to the other side?

GA:  We're trying to do the complete opposite. And this goes against probably every kind of common sense advice that you would hear in the cyber security industry. But basically there is about a 10 year gap in the cyber security posture of IT networks and industrial networks. And so if we repeat the same cycle, it's not going to get us anywhere. What we try to do with our technology is get to the end result, not necessarily by applying the same security controls, because many of those security controls will not be relevant.

For example, something as simple and in many cases useless as anti-virus, is not even something that you can deploy on a controller because of the warranty issue. That's a real-time machine.

I don't need anti-virus on the controllers and I don't need some of the other measures that do not give me what I'm looking for, and are destructive to the network. So, what we've done is our approach is a completely passive data acquisition approach. We read the networks so we're transparent. That also means that the attackers cannot see us on the network. But because of the ability in which we understand those networks, and the protocols that are running those networks, we're basically able to detect the very first steps the attackers make. In cyber terms, we are able to detect attackers at the earliest stages of the “kill chain” so that we can stop them before they progress.

It's a different way of approaching the problem.

AA: Very cool. And essentially then, who ever is managing your system for a company is then able to, once they've been alerted that there may be an issue, do you guys get involved in sort of remediation or understanding what to do?  What's that next step?

GA:  Yeah, first of all for industrial control system networks, the ability to be able to see that something wrong is going on, it's a huge impact. Because right now the security teams are going into those networks completely blind. And if you look at any of the sophisticated attacks, I mean attackers were on those networks months, so that initial detection is kind of extremely key.

In terms of the remediation, it depends on what level of the network. So if something is detected at the really lower levels of the network, where the controllers actually operate the physical process, no one should automatically block traffic from an automatic technology prospective. That needs to be handled in a more manual way, otherwise you can break the operational process or cause a real safety issue.

If we see something from a higher level of the network, from the IT domain, then yes, absolutely. We actually integrate our technology with other security technologies that are able to then take action, based on that information and intelligence.

AA: Very cool. As you think about some of the systems that you're getting involved with, they really are literally critical infrastructure. It’s power plants and those sorts of things. How in that landscape, what do you see in terms of the interaction between both technology providers like yourself, industry, as well as sort of the government sector as well? Is there collaboration that's happening or is it really very silo separate?

GA:  Well there is some collaboration but it's really hard to rely on the government or rely on a standard body, to kind of tell you what to do. I have a lot of respect for, and actually we're workingwith a lot of advisors centered around standard bodies. But standards creation and implementation take a long time and threat actors change tactics very quickly. And so we are creating a completely new paradigm of how to actually address the threat now.

When it comes to governments involvement with standards, I think that a lot of the large companies have just taken that into their own hands, because the government can really interfere with some of those attacks. And as you mentioned, early attribution is really hard.

AA: Yeah. Sort of switching gears, in terms of some of those major industrial players, I saw that you guy had some big partnerships recently. Schneider Electric.

GA:  Schneider Electric, and also Rockwell Automation. Yeah.

AA: Walk me through kind of like that process and what that was like and what that's sort of been able -

GA:  It's a very long process because they go through a lot of checks now. But it's a great working relationship with all in industrial control system vendors that we're working with. First of all, I think that for us, it’s great to get the validation from them, that our technology works as intended and that it's not disrupting the industrial processes their customers are running, which is huge.

And secondly, they also leverage our technology to go to market, because in a real-world scenario, whether you're and oil gas company or a large manufacturer, you don't just have one industrial control system, it’s better if you have all of them. And so our technology cuts across all of them, and so all of those partners can actually take this as a component and plug us into whatever cybersecurity offering they may have.

AA: I mean it's a related question, but as you think about getting installed in major systems, large corporates, you potentially begin to become a threat back to yourself, right, if you have access? So how do you handle those concerns?

GA:  Good question.

So one of the things that I mentioned is with our passive technology, we are actually completely out of band on the industrial network. So we don't exist to the attacker. The attacker would not see us as an IP on the network, etc. We're in stealth, so to speak in the network itself.

Now of course we go through the regular and kind of rigorous security testing in our own lab and have third parties audit our own technology. But the biggest thing is we're actually passive, we sit on a SPAN port, not inside the OT network and not installed on the systems within the network. So we don’t provide an attack vector for bad guys.

AA: So you're outside.

GA:  Yeah.

AA: Great. We've been covering a lot of stuff. Anything you want to go over specifically to talk about? Is there anything that you're like, "I've been waiting to sort of tell people about?"

GA:  No.

AA: Okay. Maybe in general sort of the IoT space, we've all seen the graph, like the number of devices and then it looks like a good investment return, right? Hockey stick. How do you think about that? Does that scare you? Does that excite you? Like there is just going to be everybody buying our stuff. From your perspective, how do you think about sort of a more connected world?

GA:  Good question and actually I do want to say something now. It's actually a great thing that you guys are covering industrial cyber security. It’s been kind of like such an isolated domain, so to speak, that even amongst the overall cyber security industry it has been kind of isolated. So part of what we're trying to do is bring it into  mainstream cyber security so that folks talk about it. For example, at the last DEFCON we did a workshop on ICS together with some of the partners.We’re educating the overall cyber security industry.

Now that kind of translates into your question about IoT. So IoT is everything. People can think of it as the networks that are running in nuclear power plants and then the intelligence in my toaster. So it's not really the same; there is a huge difference between what IoT is.

AA: Hopefully a different, more sophisticated system.

GA:  The way I think about it is that you cannot stop it. The interconnectivity is a good thing if you can actually leverage the power that that gives you. But you can't stop it, right? So the initial push back against security technologies in the ICS domain, was because we're just going to air gap them. Well, it's not practically possible and it's kind of the same thing with the IoT-- you are deploying sensors everywhere in your plant and leveraging that data for all sorts of things.

So I would say, for me, it's very exciting, because when everything is connected and everything is talking to each other, you can do so much more in terms of orchestration in how things flow. That being said, the more we think about security as a priority, and we bake it into the process, the better we'll be off. So it's a fact, you can't really change it.

AA: I mean gosh, having not been involved in industrial control systems to the level that you have, I sort of read about them from afar. But gosh, I didn't realize that the lifecycle was really 35-40 years, that long.

Are you seeing now that maybe the treat, the understanding of the potential threats is increasing -- at least vendors and people who are involved are starting to think about building systems?

GA:  Oh they started that a long time ago. A few years ago, all of the ICS vendors already started being much more open about their vulnerabilities and how they cover them. But again you’ve got to think through the timeline of that, right? So okay, you're getting really serious about improving your security postures, so you started the design of your next controller. That design phase itself, in most cases, is a five year process. And then you launch it on the market and that doesn't mean that the large multinationals are going to go and rip and replace the billions of dollars of infrastructure that they have invested. It might be another 15 years before they actually have to operate.

So that being said, just last week I just came from  probably one of the best, certainly the most technical, ICS cyber security conference in the industry,  S4X18 in Miami. And what we saw there was Schneider Electric talking openly about the recent incident on the Triconic safety system, which was just absolutely admirable. The fact that they're so transparent about that, engaging with the community is something that would not have happened 7-8 years ago.

So the fact that we're seeing vendors not just increase proactively their security, but being very open with the industry is a huge, huge step forward.

AA: Yeah, it is. A sea change in a community when there are problems that everyone has quietly known exists, suddenly -

GA: You might as well be upfront about it and show and tell the community what you're doing about it and how you're solving it.

AA: Yeah, sunshine cures a lot of ills for sure.

The session that you're in, you've made one of the best quotes I've ever heard, which was that, "Air gaps are like unicorns; lots of people talk about them, but we're not sure that we've ever actually seen one."

GA:  Especially in industrial control systems.

AA: Oh, that's hilarious.

So in general and part of the reason that this publication exists is, a lot of people talk about the problems, like what's wrong. And it's easy as a community whenever anybody's system goes down, pretty quickly that person get tarred and feathered. So we always try and talk about the positive, an actual focus on solutions. So what's working and who is doing a good job? Who is admirable right now? Whether that's yourself or partners or companies that you work with. You do not need to name names.

GA:  Actually, I'll take it from a different perspective. I think that one of the biggest changes that kind of enabled our industry to even exist is the fact that board-level members started paying attention and actually understanding what does it mean if they don't have cyber security for the industrial networks. So seeing that awareness at the board level, and then the board members asking the CEO, and then the CIO, to actually do something about it, creates the budget, which means that now we can actually solve the problem.

No problem is unsolvable, you just have to have kind of like a focus on it. I think that most of the large Fortune 500 companies that have industrial networks, and the vast majority of them do, even if it's not things that we think about. I mean this building has HVAC, and elevators and lighting; all of that is ICS, right?

So I think that the boards have done a really good job of asking the right questions. I think that specifically after Wannacry and NotPetya, when the security teams realized that, even though they're not targeted, some of that stuff can get into the shop floor. I think that was a huge wake-up call. And so we've seen quite a lot of interest after that. I think the security teams are also doing a good job of just asking practically, what they can do better in their networks.

AA: Some sort of quiet, stunning headlines after that, in terms of like what Maersk is saying they potentially lost.

GA:  And that was just the tip of the iceberg. That was just really a very small fraction of what actually happened behind the scene.

AA: We're really curious what happens, kind of post GDP on, because I think maybe some changes before that, but just in terms of the disclosure requirements and timing. We just see a flood of more information come out because they're worried about otherwise getting huge [inaudible 00:18:43].

This has been great, just to sort of switch gears for a little bit. For people in the industry, what are you reading? What are you following? How do you kind of stay up?

GA: Good question. Every once in a while I try to read stuff that's not related to cyber security. Which you know, I kind of have to remind myself, because I think what kind of the time that we live in right now is so fascinating, and there is so much that could be done, that it just kind of keeps me up to date.

I actually talk to people. I'm privileged to have access to a lot of the smartest folks in cyber security, both on the technical side as well as the issues that they are facing; it’s just a tremendous challenges. What I tell a lot of my clients is that I never want to have their jobs because they have to be good all of the time and attackers just need to be good once an a while.

But I also work with some of the smartest folks that come from an offensive cyber background. And so a lot of exciting things on just how we think about technology and what we can do with technology. I try to talk to people, because otherwise there is just too much hype in the media, no offense but, right? There is just a lot of hype, especially when it comes to critical infrastructure and those control systems, because the general public does not understand it that well, and usually we see headlines of like the world's exploding or the US grid is going to come down, or something like that.

AA: If it bleeds, it leads, right?

GA:  Exactly.

AA: Cool. Yeah.  I mean that's most of what I wanted to cover. I mean thank you.

GA:  Wait well thank you for getting into that topic of international cyber security. Like I said, we need more education, not just for the general public, even for the folks that understand cyber in general really well. That's kind of a new domain.

AA: If people wanted to kind of check out any of your stuff, or see sort of what you're doing, where would you have them go?

GA:  I think I’ve got most of the things that I write on Linkedin so probably they can check my page

AA: Thank you so much.

Mar 26 2018
21 mins
Play

Rank #7: The Current State Of Protecting Industrial Systems and Safeguarding Civilization Today-An Interview with Joe Slowik, Adversary Hunter at Dragos

Podcast cover
Read more

Key Points From This Episode:

•    Learn more about Joe Slowik and his non-traditional CS Background.

•    Joe gives his overview of the current thought around industrial controls.

•    Find out how we defend industrial control systems today.

•    How can attacks be actualized to impact an ICS environment?

•    Script locking and reevaluating credential storage and credential use.

•    Adopting a strategic perspective and designing network defense.

•    Discover more about the Perdue model and what this means for defense.

•    Tackling the misconception that the attacker only needs to get it right once.

•    Who are getting industrial control systems right and what to aspire to.

•    Why we need to develop a more analytical approach to threat behavior.

•    How to empower individuals to respond and react to threats as they arise.

•    Learn more about the Dragos company motto of safeguarding civilization.

•    And much more!

Feb 07 2018
27 mins
Play

Rank #8: CISOs On the Tight Rope Balancing Act- An Interview with Simon Gibson, CISO at Gigamon

Podcast cover
Read more

Key Points From This Episode:
Some of Simon’s background and the areas in which he has worked.
The work Simon did at Bloomberg the and role of financial services in security.
The rising value of data and how this fits into an organization’s security.
The continuous role of a CISO in maintaining security over time.
Balancing risk preparation with cost effectiveness.
The easy ways to make sure your company is not very exposed to attack.
Matching your security practices to your company and it’s customer’s needs.
Disclosure of bugs and vulnerabilities to clients.
Taking responsibility for the risks you may be aware of within products.
The danger of incremental risk and putting an end to this growth.
The dimension that cloud and multi-cloud adds to these security concerns.
Simon’s perspective on the history of the RSA conference.
And much more!

May 07 2018
25 mins
Play

Rank #9: From One CISO to Another, Get Back to the Basics - An Interview with Jaya Baloo CISO of KPN

Podcast cover
Read more

Key Points From This Episode:
Learn more about the 2012 KPN hack and its impacts on cyber security today.
Riding the security rollercoaster: How to sustainably manage vulnerabilities and incidents.
Dealing with the known knowns, the known unknowns and the unknown unknowns…
How KPN works to reduce the window of opportunity for a potential hack to take place.
How does KPN ensure that security becomes embedded in different organizations.
Jaya shares more about the impact of cyber security when it comes to saving lives.
Why companies need to get their basics right before adding on more security services.
KPN’s risk mitigation strategies and why Jaya believes that risk acceptance is pretty evil.
Learn more about KPN’s “dumb” tool and the information they decided to make open source.
Jaya shares more about the KPN CISO app and where you can download it for free.
Jaya’s candid advice to fellow CISO’s and cyber-security product buyers out there today.
And much more!

May 30 2018
19 mins
Play

Rank #10: What The Future Of The Internet Looks Like and How We Can Secure It Humanely - An Interview with Andrea Little Limbago, Chief Social Scientist at Endgame

Podcast cover
Read more

Key Points From This Episode:

Andrea's journey from academia to cyber security.
Why cyber security is also a retention challenge.
How companies can protect their employees from burnout.
What happened to the utopian idea of the internet?
State sovereignty and the balkanize internet or splinter net.
The implications of China’s new social credit system.
Learn more about GDPR and the control over your own data.
Does Russia’s internet look different to the rest of the internet?
The effects of the crypto currency movement on cyber security.
Learn more about the Russia-China authoritarian model.
Will GDPR be successful in helping democracies move forward?
Discover what Endgame does and how it operates on a daily basis.
Find out what it’s like being a woman in cyber security today.
Fake news and cyber hacks and their effect on the political climate.
And much more!

Feb 12 2018
26 mins
Play

Rank #11: CISO’s are Goal Keepers, All Guts No Glory - An Interview with Giovanni Vigna of Lastline

Podcast cover
Read more

Key Points From This Episode:
Vendor tools: Who should we be routing detections to?
The importance of giving the right information to the right people.
Tips for dealing with technical superiority and buzz word trends.
How small companies can establish their own technical superiority.
Why no one really believes how great you tell them you are.
What the next generation of software programmers are looking at.
How cyber security has become a cross-disciplinary concern.
What it takes to educate the next cyber security force.
Finding new tools to teach security in new ways.
Diversifying cyber security culture as we move into the future.
The benefits of hacking competitions and events.
Why a CISO is just like the goalie in soccer.
How do we get credit for the attacks that didn’t happen?
Evaluating pain points and the result of not solving them.
And much more!

Jun 29 2018
23 mins
Play

Rank #12: How Bad is IOT Security? - An Interview with Stephen Cobb and Tony Anscombe from ESET

Podcast cover
Read more

Key Points From This Episode:
An introduction to our guests and their roles at ESET.
What brings our guests to RSA.
High detection, low maintenance and avoiding false positives.
Resistance to the cloud and what the slow migration means for security.
The obvious relationship between cyber security and the Internet of Things.
Practical and safe application of IOT in the home.
Targeted attacks and specific ransomware.
Looking at how these products in our homes can be leveraged by cyber criminals.
The benefits of complexity and putting the pieces together.
The reflected complexity of the criminal tactics.
The ongoing struggle even as security technology develops.
GDPR, cars that start with your phone and the future now.
Creating a ‘naughty list’ of companies to avoid?
And much more!

Jun 07 2018
29 mins
Play

Rank #13: How to Make Security Analysts' Lives Easier - An Interview with John Cassidy CEO and founder of King & Union

Podcast cover
Read more

Key Points From This Episode:
The latest product John and King & Union have launched called Avalon.
Avalon’s target market and the space it occupies in security operations.
What differentiates Avalon from other similar products.
Entering a crowded market and integrating into existing systems.
The architecture of securing information for a large company.
Housing these systems and the cloud services Avalon uses.
The experience of venture capitalism and the start-up game.
Building the team at King & Union and the benefit of shared experience.
The location of the company and its branding choices.
And much more!

May 14 2018
11 mins
Play

Rank #14: The Black Report, The Human Behind the Hack - An Interview with David Smith of Nuix.

Podcast cover
Read more

Key Points From This Episode:
David’s current position at Nuix and his background in the US Secret Service.
Some information on the Black Report and it’s defining characteristics.
The biggest realizations David has had working for Nuix.
Underestimating the human factor in current cyber attacks.
Better understanding the profiles and motivations of hackers.
The evolution of the mind of the attacker and how things stay the same.
Possible ways to go about testing and preparing for attacks.
David estimation of the social cohesion of hacker organizations.
How the security protocols and processes could be streamlined or sped up.
And much more!

May 11 2018
22 mins
Play

Rank #15: The Making of a Cyber Hero - An Interview with Gary Berman, CEO of CyberMan Security.

Podcast cover
Read more

Key Points From This Episode:
An introduction to Gary and his professional life.
The tragic turn that Gary’s company took after it was hacked from the inside.
How Gary and his wife handled the crimes that were committed against their company.
The change of career that followed the downfall of the company.
The hacks that persisted ten years after Gary left his original career.
The decision to turn his lack of cyber knowledge into a lesson for anyone.
The birth of the Cyber Heroes comic!
Looking at the motivations of the employees who hacked Ben.
The actual, legal ramifications of hacking.
Thinking of new ways to strengthen the general public against hacks.
And much more!

May 29 2018
47 mins
Play

Rank #16: Deception as A Strategy An Interview with Rick Moy from Acalvio

Podcast cover
Read more

Well Rick, thanks for joining us. Just introduce yourself.

My name is Rick Moy. I'm the chief marketing officer at a company called Acalvio Technologies. We are a Deception 2.0 company. We are creating a distributed deception platform that brings automated deceptions at scale and authenticity to organizations of any size. The goals is to make it easy to manage, deploy, and implement deception strategies in the network in order to do a better job of detecting attackers who have gotten past the prevention that is deployed on the perimeter and on the endpoints.

 Yeah. Such a great background and experience and fit for some of the conversations that we've been having. We're seeing the realization in the market that static systems aren't secure, they're just not. If an attacker can see what you're doing, they're going to be able to penetrate it.

I know you guys have been around a while. Walk through where Deception and changes have happened. What that history looks like.

Yeah. Well, so first of all, to set the context like I talked about in my talk this morning, deception has been around for a long time. It exists in nature. You have the Venus Flytrap, the angler fish, you think of those fun things. So, nature's got them. We've used deception in warfare, kinetically, so military use smokescreens, false retreats, fake units, right, during D-Day, we created some inflatable tanks to fool the Germans.

In cyber, it really started around 1989 with the German attacker who was breaking into Lawrence Livermore. A guy named Cliff Stoll is one of the first documented deception campaigns, where he actually created fake systems, fake files, and even fake departments logically in the company, and a fake secretary who he gave an account on the system in order to mislead the attacker. So, deception is part of our world, whether we realize it or not.

Attackers use deception against us in phishing campaigns, in malware, polymorphic malware. We use deception to sinkhole botnets. We use it to gather threat intelligence externally. The field of honeypots, which most people think about, has been around for 20 years, and that's great. A lot of open source, community level projects. It solves a certain problem, but the change we've noticed over the last few years is that making those enterprise ready, right. What does that mean? No one has time to manage another platform. It takes time to figure out well what kind of campaign do I want to run. There's some manual effort required.

The new phase of deception, we call Deception 2.0 has a couple key principals. It's got to be manageable. It's got to be automated. It's got to be authentic. It's got to interoperate with your existing infrastructure fabric. All those things have to be true. That's really only become viable within the last 12, 18 months I would say. There's a lot of Deception offerings that I call more point products. They solve a specific part of the problem, but they aren't as fluid and dynamic as the modern enterprise would like. Keep in mind, developers have been talking about Devops for five years or so now, so that's really become part of the mantra within the CIOs organization. We've gotta be Agile. We've got to adapt to a digital transformation, that's still ongoing.

Yeah. You brought up so many good things there. I think that pain point that you talk about where you're already seeing 10,000 threats a day, maybe a million incidents a day, and if you were going to create another system where you're going to create even more incidents. You already are overwhelmed. The idea of how do I handle more when I'm already drinking from the fire hose. How do you guys, both your own technology but what do you see in the market in terms of that filtering, that understanding what is noise on the network and what is the really high-risk elements.

That's perfect, right. It's true. There's organizations I've worked with that get millions of alerts a day. That's exactly the problem with the prevention or traditional detection type of technology. Where deception comes in is really a great blessing for the organizations. It's a totally different philosophy.

With prevention you're trying to find the bad guy hiding in the crowd. With deception, you've set out fake assets, decoys that will attract them. By definition, anyone whose interacting with that decoy is not following business process. If they're an employee, they're not following the business process. If they're an attacker, they're looking for some data to either steal or ransom back to you.


“Deception 2.0 has a couple key principals. It’s got to be manageable. It’s got to be automated. It’s got to be authentic. It’s got to interoperate with your existing infrastructure fabric. ”
— Rick Moy

The definition of deception is it gives you high-fidelity alerts, so a very small number of them because, in general, they don't occur very often. They're designed specifically to detect lateral movement. Someone who has gotten a foothold on a workstation or a server inside an organization is now trying to pivot and find some of that important treasure to, again, steal or ransom back to you. By doing that, trying to figure out what machines are next to me, what services are in the environment, how do I connect to them ... all those activities could potentially reveal their existence if they connect to them. That's where we come in. Deception's a great compliment to a very noisy existing infrastructure that most organizations already have set up. These two things can be complimentary and used together.

Yeah. When you think about when you're creating a network and, essentially, trying to replicate something that looks like your existing environment and putting assets there. How do you do that in a way that's efficient, easy, and that also is believable to an attacker. In many cases, sadly, a lot of organizations don't even know what their network looks like and what's on it. How do you stand one up that's an image of it, a copy of it, that's real ... at least real enough to an attacker?

That's a great question. That's exactly one of the shortcomings of the previous generations of honeypot technologies. Modern approaches will allow admins and organizations to use gold images.

You can take systems that are actually deployed, dirty images. We call them gold, but a lot of them call them their copper or pewter or their fairly tarnished. They're not necessarily a precious thing. That's exactly what you want. You want to replicate and mimic the actual systems in your environment. If it's too clean, it's going to be suspicious. If it's too locked down, it's probably not going to be a good lure for an attacker. It needs to have the same kinds of flaws that your other systems have.

Not to get too technical because we have an audience that spans the range from security professionals to individuals who are tangentially involved, but can you dig in a little bit to one layer deeper in terms of how you do that? Is that done through virtual machines? What's the way you deploy a network?

To be honest, there are some that are out of the box that are just standard. There's a whole matrix of different types of deceptions you can deploy. Out of the box, you would get some basic things like SMB file shares, certain Windows operating versions, Windows 7, Windows 8, and Windows 10, Server 2012, etc. Those generally we provide. Others can be virtualized or containerized. We call it in our lingo, "service reflection."  The process of wrapping an image that's already in production and then mimicking its existence on different VLANs. We have technology that really simplifies that. It's all about making it easy for an organization to roll out a deception campaign.

So you're deploying stuff both on prem as well as in the cloud? How is the deployment typically?


“There’s a certain investigative, James Bond nature to it ... what’s going on, who’s inside the castle walls, what information do I have, how can we lay some traps to have that person reveal themselves. ”
— Rick Moy

Acalvio is a cloud first company. Everything we design is meant for organizations who are going to be moving to the cloud or deploying from the cloud. That same engineering discipline allows us to deploy cloud-ready apps on premises in a very efficient DevOps manner. We've done the design for the hard stuff first, but are also deployable on prem.

Where are things going? What's new? What do you think people should be really excited and trying out in this phase? What's cutting edge in deception right now?

Cutting edge, I'd have to say it's probably the boring part of just making it operational. A couple of years ago, cutting edge was putting up a lone honeypot on the outside of your network and getting external threat intelligence. Well, that's something that a lot of people know. If you put something on the outside of your network, within about 5 minutes, you're going to start getting attacked, right?

What's really critically important to the organization, as well as kind of fun I think and so maybe this is the definition of cutting edge, is finding the bad guys who are already inside your network. There's a certain investigative, James Bond nature to it ... what's going on, who's inside the castle walls, what information do I have, how can we lay some traps to have that person reveal themselves. You get into this detective mode, and you start to think well what tools do I have to do that. There really isn't anything more exciting in my mind than the deception arsenal of tools that you have.

The honeypot is your actual server, you can put services out there that maybe just like a FTP service, which was used, for example, in the Sony hack. File sharing ... you can put fake spreadsheets out there. You can have false, misleading data in database servers that would, if that data was ever used in public you would know that you had been breached. There's really creative ways that you can think about marking content that if it's touched or used somewhere else will be an indicator. It really forces you, as the security guy, to think a little more holistically about what business are we in. Are we in healthcare ... is it patient records? Are we financial services ... is it bank account information? Are we a R & D shop designing semiconductors, so then it may be IP around a particular laser etching technology or layout of a microprocessor. I would want to have different strategies around each of those. That's what's interesting, and frankly invigorating, for a security person who maybe last week their top priority was applying a patch or responding to some malware on Jane's computer. Now he gets to think more strategically about the business and the threats that it faces. It's something that's typically reserved for the C-level suite, but in reality it's the people who are hands-on that have to implement that.

 I think it's a great opportunity from many perspectives.

Sounds very cool. As people are thinking about adding deception to their strategies, what would you say is the best way to climb the curve, to educate themselves? Are there some resources out there? Are there some books they should check out? What sort of way to get involved there?

Actually it's a great question. It's almost a setup. We actually have a couple of books that we've written.

Cool.

You can go on Amazon. There's a couple historical books you can look at. The Cuckoo's Egg is one. Kevin Mitnick has written a book about deception.

We have two free books. One's a Dummies book, Deception for Dummies. It's a very short read. It's actually quite entertaining.

You don't have to be a dummy. It does a really good job of explaining it. Then we have an advanced field guide for the advanced practitioner whose had more experience with some honeypot technologies.

Awesome. Thanks for taking the time. This is your opportunity if you've got a soap box ... what would you like the community to know if you had 30 seconds, a minute, to say, "Gosh, you know you really need to be thinking about this."

 I would encourage the community to recognize that deception is all around us. We use it every day, and it's used against us every day, whether it's in advertising, social relationships, and in cyber it's used. Let’s use deception to change the dynamics.  The attackers are using automation and forcing us to do manual review of the problems they've created. Deception is the only platform that allows us to lie back to the attacker and change that dynamic and make them do some work.

From that perspective, when you look at the technologies at your disposal ... huge points for that. When you also consider that it's lower cost to deploy than a number of other technologies and more effective and lower noise, there's a lot of reasons to look at it. I'd encourage people to have an open mind and to read up on what Gartner says is the number three of the top technologies for the next year.

Yeah. Awesome. This is great. Thanks so much.

Thanks for the time.

Feb 28 2018
15 mins
Play

Rank #17: Preserving Your Social Brand: The New Threat Factor - An Interview with Mike Price, CTO of ZeroFox

Podcast cover
Read more

Key Points From This Episode:
Learn more about Mike, his background in the industry and his role at ZeroFOX.
Find out why security never appears to be top of mind when it comes to social.
Are people more welcoming of digital intruders versus in-person intruders?
Mike shares his views on social interaction from an enterprise perspective.
How ZeroFOX assists companies who are being harmed by behavior on social.
Why is crypto mining such a big issue right now and are consumers at a security risk?
Is the home becoming a new target for hackers and how consumers can protect themselves?
Discover whether Mike sees a battle between
AIML and data privacy.
And much more!

May 09 2018
11 mins
Play

Rank #18: Who is Watching the Watchers - An Interview with Marton Illes of Balabit.

Podcast cover
Read more

Key Points From This Episode:
Martin’s background and the current climate of privileged access management.
Managing the changing roles of privileges within hierarchical organizations.
How the inevitable shift to the cloud is changing cyber security concerns.
Who watches the watchers? What is the freedom of a super-user?
Points of friction within and without organizations around admin roles.
The increasing space of AI and what that means for job creation.
The lack of development in cyber security skills due to increased AI roles.
Data regulation and balancing freedom with control.
Comparing Europe and the US and the influence of GDPR.
Who should be considering the option of security privileges?
And much more!

Jun 27 2018
21 mins
Play

Rank #19: Everybody’s Phishing - An Interview with Joe Gray of Advanced Persistent Security

Podcast cover
Read more

Key Points From This Episode:
Learn more about phishing for awareness and what this entails.
How Joe helps companies set up phishing engagements against their employees.
Incident response and why phishing attempts are never going to be 100% effective.
Assuring those who have been phished that their credentials aren’t necessarily useable.
The difference between pen testing and red teaming in light of Haroon Meer’s work.
Why less black box pen testing and more white box red teaming could be the way.
How are organizations measuring both potential vulnerabilities and risk taking.
Compliance versus privacy versus security: Why GDPR is winter and winter is coming.
Learn more about national and international regulations for cyber security response.
Find out more about the threats out there today (like IOT) that are terrifying Joe.
Seriously, why would you need a Bluetooth controlled water heater in your home?
Hear more about the $29 Amazon home router that Joe easily attacked.
Why we need to go back to protecting people before protecting business.
Joe gives a few simple steps toward better cyber security in the home.
Learn more about using deceptive technologies and disinformation to secure yourself.
Disinformation, trolls and bots and their influence on the on the US election.
A current update on various state approaches to cyber security laws and bills.
The positive movements that Joe is seeing in the field of cyber security today.
And much more!

Jun 15 2018
24 mins
Play

Rank #20: A Postcard From the Future - An Interview with Dr. Ron Ross

Podcast cover
Read more

Key Points From This Episode:


•    Dr. Ross’ job specifics and NIST’s role in cyber security.

•    The current climate of cyber danger and how this relates to the internet of things.

•    Cyber resiliency as compared with the idea of cyber security.

•    Counter measures and tactics that typify cyber resiliency.

•    The characteristics of diversity and homogeneity in security systems.

•    The idea of deception as a tactic in defense.

•    Dynamism and reconfiguration in the ongoing battle against adversaries. 

•    Minimizing the time that a cyber criminal has to operate within a system.

•    Utilizing virtualization and shielding in the framework.

•    Accelerating dissemination of the information available on cyber security

•    And much more!

Links Mentioned in Today’s Episode:

Dr. Ron Ross — https://www.nist.gov/people/ronald-s-ross


NIST — https://www.nist.gov/

NIST Cyber Resiliency Framework — https://www.nist.gov/cyberframework

Dr. Ron Ross on Twitter — https://twitter.com/ronrossecure

Cambridge Analytica — https://cambridgeanalytica.org/

May 01 2018
58 mins
Play

Similar Podcasts