Down The Security Rabbithole

TL;DR It's been said that the road to hell is paved with good intentions. I feel like this applies to SBOM so much it's scary. All the good intentions in the world seemed to have led us to a place where we have tools that produce inconsistent results, tool sets that aren't necessarily integrated or mission-focused to deliver results, and a lot of confusion. Varun joins us with a boatload of entrepreneurial expertise and an eye for problem-solving so it's an interesting conversation. Join Rafal & James in a conversation that you'll want to listen to a few times, and take notes. Link to YouTube video https://youtube.com/live/pZgiiRQeou0?feature=share  Guest Varun Badhwar LinkedIn: https://www.linkedin.com/in/vbadhwar/ 

TL;DR: This DtSR podcast brings back a good friend of the show, and one of the most experienced leaders I know - Mr. Jim Tiller. We talk about an interesting topic - the "virtual CISO". vCISO is interesting because as markets tighten, and it becomes more difficult to find and afford good CISOs and security leaders in this market. So how can a company best utilize this part-time resource? We discuss... What are the best ways to utilize vCISO? What questions should you be asking? What are things to look out for? YouTube video https://youtube.com/live/OaYS0yEajQw?feature=share  Guest Jim Tiller LinkedIn: https://www.linkedin.com/in/jimtillersecurity/  Jim's Security Bytes newsletter: https://www.linkedin.com/newsletters/security-bytes-6943286067194187776/ 

TL;DR: I'm extremely excited to present to you, dear listeners and friends, a wonderful conversation with Sergio Caltagirone, who is quite the authority on 'threat intelligence' - where others talk tools and limited knowledge, Sergio literally was there at the birth of the cyber dawn of the threat intelligence operations we know (or don't know) today. Sergio has been at an agency, at Microsoft, at Dragos - and he knows threat intelilgence from theory to applications. Listen in, learn a bit, and laugh along as the Chinese spy baloon (that's my story and I'm sticking to it) disrupts our communications with our pal, Sergio. Video Link (unedited, and hilarious): https://youtube.com/live/SuH4uxBiX3E  Guest Sergio Caltagirone LinkedIn: https://www.linkedin.com/in/sergiocaltagirone/ 

Tl;DR: Automation. It's a precarious thing in cyber security. Whether you're thinking about SOAR, or incident investigation, or maybe SIEM (I'm sorry) - this conversation will be worth your time. Anton and Jonathan join us to talk about how "automation" has evolved over the last decade or so, and where it's largely failed. We also start to explore the future and requirements for how things can collectively improve. We think you'll enjoy the podcast... share it and we'd love to hear from you.   Guests Anton Goncharov LinkedIn: https://www.linkedin.com/in/cybernode/  Jonathan Cran LinkedIn: https://www.linkedin.com/in/jcran/ 

TL;DR A few days ago, my pal Kevin asked me if I had seen the LinkedIn post by Helen Patton that asked an interesting question of the podcast space... Her post made me think - why the heck not? So, I did. Thanks to Helen, whose idea this was - I hope you get a chance to watch and enjoy the outcome of your request ... we had far too much fun recording it. Here on this episode - which I promise you is 100x better on video, we have Anton Chuvakin, Kevin Thompson, and Jeff Collins joining Rafal & James on the podcast to have a little fun and ask "ChatGPT" some questions. Anton drove the screen share, and we had a lot of fun. I have to wonder - how did some of those answers (you'll know when you see/hear them) make it on there. Holy cow... wow. LinkedIn video replay - https://www.linkedin.com/video/event/urn:li:ugcPost:7021885147977314304/  Guests Anton Chuvakin LinkedIn: https://www.linkedin.com/in/chuvakin/  Jeff Collins LinkedIn: https://www.linkedin.com/in/jmcollins/  Kevin Thompson LinkedIn: https

TL;DR On this episode, we welcome Josh Grossman - who has a pretty interesting perspective on AppSec, or Software Security, or (cringe) "DevSecOps". Josh has a bit of an edge on the subject, so he fits in with myself & James perfectly. We talk about where things stand from the vendor perspective, building programs, and why it takes to make a real impact, versus continuing to push a very large boulder up a very steep hill. Oh, hey, want to be on the show? Let us know a topic and your background and let's talk. Guest Josh Grossman LinkedIn: https://www.linkedin.com/in/joshcgrossman/  Twitter: https://twitter.com/JoshCGrossman 

TL;DR This week on 2023's first live-streamed episode (technical our first recorded in '23) our friend Larry Whiteside, Jr. joins us to talk about the prospects for 2023 and beyond. We discuss trends, make some rather sad predictions, and attempt to be hopeful about what the new year could bring us - if we don't find a way to walk ourselves off a cliff, first. It's a light discussion, that dives into some deep topics, and ultimately ends with some hope... 'ish. Join us! Oh, hey, since some of you are looking for a new opportunity in the new year, Larry's hiring (check out his LinkedIn page). Guest Larry Whiteside, Jr. LinkedIn: https://www.linkedin.com/in/larrywhitesidejr/

TL;DR Shawn Tuma, our favorite cyber legal eagle, joins Rafal & James to talk about the sorts of things we learned about 2022, in what could be confused for a year-in-review episode. We saw ransomware, big incidents, but overall ... things weren't the worst out there. If you missed our live-stream on LInkedIn (link below) you can replay that any time, or listen to this episode as a podcast. For 2023, I'm going to be tweaking some things to get us talking, sharing, and hopefully an even better experience of the podcast you already love. LinkedIn Live-stream re-play: https://www.linkedin.com/video/event/urn:li:ugcPost:7013670254237163520/  Guest Shawn Tuma LinkedIn: https://www.linkedin.com/in/shawnetuma/ Twitter: https://twitter.com/shawnetuma/

Prologue This week James and I are joined by my good friend and many-timer on the podcast Brandon Dunlap, and our mad genius and serial entrepreneur pal Paul Calatayud to talk about all of these guarantees, warranties, and insurance. It's a strange discussion but quite necessary as the industry is littered with some of these offerings by providers and various software (security) vendors. These guarantees and warranties are made to make you feel better, but rest assured lawyers wrote these and there's always a catch. The insurance conversation, that's a little different (way different) and Paul's got some interesting things to say here. Don't miss a great episode!   Guests Paul Calatayud LinkedIn: https://www.linkedin.com/in/whitehat/ Brandon Dunlap LinkedIn: https://www.linkedin.com/in/bsdunlap/ 

Prologue Karim Hijazi joins Rafal & James this week on the podcast to talk about some interesting trends and developments in the world of bad actors. It's an interesting update including some things I wasn't expecting to hear about how threat actors "hit back at" incident responders and threat hunters. This is a good conversation about the current threat landscape with an eye on the Russian hackers out there, and pretty good listening for anyone who wants an added dose of situational awareness. Links: Sneaky Hackers Reverse Defense Mitigations When Detected - https://www.bleepingcomputer.com/news/security/sneaky-hackers-reverse-defense-mitigations-when-detected/  https://cybernews.com/editorial/russian-hacktivist-real-dangers/ Guest Karim Hijazi LinkedIn: https://www.linkedin.com/in/karimhijazi/ 

Prologue This is a very interesting episode... Gadi Evron joins James and me on this slightly technically difficult (the IPoCP - IP over Carrier Pigeon - was awful at times) episode to talk about the CISO role and the potential liabilities that lie within. Whether we're talking about the Joe Sullivan case (and we're not, or we try not to), or we're generalizing about employment and legal culpability - this show traverses a lot of land and it's all worth your time. Hopefully if I did an OK job, you won't notice all the edits :) Pre-reading Blog post from Gadi & Team 8: https://team8.vc/rethink/cyber/cisos-guide-to-legal-risks-and-liabilities/  The CISO guide: https://lp.team8.vc/cisosguide  Guest Gadi Evron LinkedIn: https://www.linkedin.com/in/gadievron/ 

Prologue It's always a pleasure when I can get some friends together and banter on about a topic we all find interesting. This week's topic was supposed to be released a bit later, but it couldn't wait. We had so much fun that I thought it needed publication right now. The premise is simple - have you looked around at how many security vendors there are and just asked yourself ... "Are we solving anything, or just adding to the mess?" That's what we did on this podcast. And yeah, we'd know because we have some life experience in this industry. Required Reading: https://www.linkedin.com/pulse/security-tools-crash-coming-mark-curphey/  Guests Mark Curphey LinkedIn: https://www.linkedin.com/in/curphey/  Jim Tiller LinkedIn: https://www.linkedin.com/in/jitiller/  Anton Chuvakin LinkedIn: https://www.linkedin.com/in/chuvakin/  Vikas Bhatia LinkedIn: https://www.linkedin.com/in/vikasbhatiauk/ 

Prologue On this episode Rafal & James re-visit the concepts of machine learning, "artificial intelligence", and applicability to cyber security from Sven Krasser, Chief Scientist at CrowdStrike. Dr Krasser has been working on algorithms and computers analyzing massive amounts of data since the early 2000's so his analysis of today's "state of the art" and projections for the future are likely spot on. We have a little fun poking at industry buzzwords and make some real projections for where things are moving. If you're trying to sift through the hype and asking yourself is any of the "AI + ML" hype is real, right now, listen to this podcast. Some of your questions are likely answered here.   Guest Sven Krasser, Ph. D. - SVP & Chief Data Scientist at Crowdstrike LinkedIn: https://www.linkedin.com/in/svenkrasser/

Prologue This podcast has attempted to go down-market a few times, with some success in discussing the important issues that service providers and security vendors oddly ignore. If you're not in the enterprise, you get ignored by 90%+ of the security vendor space, that's just fact, and that means that you're left to fend for yourself at the worst scale possible. That's unfortunate, in the long run, because as all the vendors chase enterprise vendors, they at the same time lament the poor state of downmarket security. This podcast addresses something that may be able to help. A long-time colleague and friend has started a company and has a philosophy that we think y'all should hear about. I'm going to encourage you to give ContraForce a look -- not just because they're named after one of my favorite video games of all time -- but because they are working hard to solve a fundamental problem that we have in the security space...small companies have big problems too. Guest Stanislav Golubchik LinkedIn: https://

Prologue Are you sick of hearing "Zero Trust"? Do you, like us, also feel like it's a marketing buzzword, and then a cute concept that has a very difficult time in reality? Yeah, this episode is for you. David Fairman and Jason Clark, join Rafal to talk about what is essentially continuous signals evaluation, least privilege, and default deny with segmentation. All those things we love, and haven't done right. Guests Jason Clark LinkedIn: https://www.linkedin.com/in/jasonclarkfl/  David Fairman LinkedIn: https://www.linkedin.com/in/dfairman/ 

Prologue This week, we take it back to the basics, that's right, the basics, as we talk to Huxley Barbee about the need to identify and understand the assets on your network and in your various environments. A fascinating conversation with some history, some laughs, and some honest discussion a topic that's absolutely critical to cyber security. If you've not done so, go check out the conversation with Dell Technologies' John Scimone -- a CSO's perspective on fundamentals: https://ftwr.libsyn.com/dtsr-episode-513-cso-perspective-on-security-fundamentals which will give you some additional perspective on this issue. Guest Huxley Barbee LinkedIn: https://www.linkedin.com/in/jhbarbee/ 

Prologue Today's guest helps James and Rafal attempt to unravel the completely confusing space of "modern remote access". Some call it SASE, some SSE, some ZTE and some are completely mad and still use the term VPN. Who knows who's right, or why any one is preferred over the other ...except Carlos Sales from NordLayer. Listen in, and give it some thought. Maybe you'll understand this big mess a little better by the end of the episode. Guest Carlos Salas, Engineering Manager, NordLayer LinkedIn: https://www.linkedin.com/in/carlos-salas-b89480187/ Get a special offer from NordLayer, because you're a listener of DtSR: https://nordlayer.com/dtsr 

Prologue It's been a while since we have done an episode on cyber insurance, in fact, the last episode was https://ftwr.libsyn.com/dtsr-episode-454-tpa-cyber-insurance-fact-vs-fiction back in July of 2021. So we revisit with the two experts plus a bonus guest for you. We look at the issues from the perspective of the broker, buyer, and lawyer -- a complete picture if I do say so myself! Story link in FastCompany: https://www.fastcompany.com/90781786/cyber-insurance-price-hikes-have-left-local-governments-reeling  LinkedIn Live video stream (on-demand): https://www.linkedin.com/video/event/urn:li:ugcPost:6980210814192402434/  Guests Shawn Tuma LinkedIn: https://www.linkedin.com/in/shawnetuma/  Sean Scranton LinkedIn: https://www.linkedin.com/in/sean-scranton-2b24948/  Sebastian Avarvarei LinkedIn: https://www.linkedin.com/in/sebastianavarvarei/ 

Prologue Our industry has been talking about XDR for a while now. Some people think it's the savior, some people think it's marketing garbage - and neither of them really understands what this "thing" named XDR is. Well, I figure we'll get some smart people on the podcast, people who live in this field and use this word a lot, and giddy up. This episode is slightly PG-13'ish ... because Anton has a potty mouth and I don't want to edit. Guests: Anton Chuvakin (Google) LinkedIn: https://www.linkedin.com/in/chuvakin/  Jamie Moles (ExtraHop) LinkedIn: https://www.linkedin.com/in/jamiemoles/  Bryan Lee (CrowdStrike) LinkedIn: https://www.linkedin.com/in/obiwanblee/ 

Prologue We start Cyber Security Awareness Month - the 30-day window where corporate law requires you to check the box and take boring security 'awareness' training, then forget it November 1st. Not my favorite month... so what about scammers, criminals, and bad people who prey upon those who aren't covered by corporate mandated training? Join us, let's talk about it.   Guest Michael Magrath LinkedIn: https://www.linkedin.com/in/michaelmagrath/