Defensive Security Podcast Episode 271

00:05

Hey, Jerry. Hey. Been a while. It has been a while. Word on the street was that you quit this game. I did for a little bit. So this mean you're back. Back. Welcome to episode 271 of the defensive security podcast. My name is Jerry Bell and joining me tonight as always is mister Andrew Tel. Jerry, it is awesome to be here and to see you again, my friend. It is awesome to be seen, and awesome to see you as well. Like a Phoenix rising from the ashes of your Cis career.

01:19

Back. I... I'm not sure that there's any rising going on. It's all ashes. I think the bible has something to say about that, but, hey, here we are. But we're back. We're back, baby. Awesome. Do you what do we wanna tell the 3 of you we'll still have the feet up? What happened? Yeah. I think y'all all may have recognized that we radically slowed down the frequency with which we released episodes. And that was in large measure due to me taking a new job back in

01:51

early 20 20. I I took a job as the Cis for Ibm cloud, and up was exciting though extraordinarily demanding and intense job. And so I was there up until last Friday. And now I am a, as they say in in sports land, I am a free agent. Spending more time with family sort of thing. Absolutely. Absolutely. That's exactly why I left Yes. There's spend more tonight's family. None of the allegations are proven rule. Accurate all of those No guilt was proven or admitted in any

02:33

situation involved as I recall. None of the witnesses made it to trial. Sometimes that's just how it works out. I don't know but I for 1AM very happy that we we have some more time to do this now. Like you. My my life got busy. We had a big cause in 20 19 because My body decided to try to kill itself, and I was laid up for about a year, but I got better, I say, and I'm all good now. And then you took a crazy job and then between that, we really haven't had much time, but here we

03:03

are. And so what do you think it is this gonna be a regular thing or is this just like, once a decade frequency sort of thinking now. So I I definitely want to do this on the regular, I actually enjoy this. This was something that I I really look forward to. And and it was sad that I stopped. It it was... It was a good outlet. It was nice to connect with people fund the record and fun to talk about. So I'm really looking forward to get back into it.

03:34

That's great at Dinner. And I hope some of the folks from the old days are still out there. And if not, will pick up some new interesting folks who are... Curious about what we have to say and we can be of some help. Absolutely. Absolutely. Unlike normal, we... Typically have a slate of a new stories that we talk about. This one's gonna be a little bit different.

03:56

I just I wanted to do a little bit of reflection maybe between you and I on what perhaps we've learned over the past 7, 8 years before the the show slowed we we really talked a lot about the things we can learn from recent new stories. But I think we probably both have learned some pretty important lessons our ourselves. And and I think in some ways as put context around the things that we had talked about previously. So at least for me. Yeah. You had a huge real world environment too.

04:31

To deal with countless une ending threat an incidents in scenarios and a massive Nba session, if you will, in real world security. It's and I'm sure I obviously, we both have ethics to consider a confidentiality you consider so we gotta be a little careful there, but like you. I've move jobs a few times currently I'm working at half for the last 3 years as contractor of information, security engineering and application security for, a late stage startup called Sales Loft. It's

05:02

a Saas tool that helps sales people. It's all cloud based, and they're got a great team working for me and. Work with some good guys, but it's been... It's 1 thing to talk about things. It's another thing to do it in the real world. And I think we have a lot of lessons learned of. How tough it could be to take a great idea and execute it in reality?

05:22

Yeah. That that I think has been my my biggest observation is that it's pretty simple to talk about security topics in the abstract and and how to how to better defend your self and whatnot, but putting that into practice, I found to be extraordinarily difficult. Because it's as much of a political problem. Security is as much of of a political and people problem

05:48

as it is a technical problem. So don't think there's anybody that would say that are, like, overly surprised by that statement, but I I really felt that deeply. Yeah. I think in my career, I started off as very technically talented. But not very socially competent.

06:11

I think I was fortunate to have a time in the info intersect in security and It industries where you could get away with being the brilliant jerk, and I was for a long time, but as I've gotten more mature and I'd like to think smarter and wiser and have gotten, you know, less ego driven and been able to learn to work better with other people, which I'm still working on every day. It is amazing how much that matters from a standpoint of trying to further your goals in an organization.

06:47

And that's 1 thing. See all the time that we feel like black and white solutions are out there in that. Everything is just an obvious thing that just needs to be done and people who don't see it are dumb. We're working against us. This it's not true. They have a different subject about our expertise and they have a different priority and they have a different set of goals and criteria that they care about and often security is adding friction to what they're trying

07:12

to achieve. And it's in the abstract. So it's... 1 thing I learned in this discover role, which I'm still at and hope to be after for a while building trust which sounds super cheesy has been incredibly helpful and being reasonable and flexible and not dogma and not militant in what I'm trying to get done that I've been able to... I think I hope build better relationships which helps in times of crisis. Especially... So does it help you sorry to interrupt?

07:48

But does that help you, like, when when you say no, they understand that you're not just flip saying no. You're... Like, there's a well rounded reason you've establish that level of trust. That they know that when you say something, it's for a good reason that... How it manifests? In part, or if we're asking for something to be changed or a control to be added or asking someone to rep prioritize somebody recently came up that was a a supply chain attack on a well known package.

08:22

And we had to ring the bell on that, and Trump a lot of people's others day to day activities to deal with that, and we do that rarely and that establishes credibility, I think that we you only do it when we actually need to. And so over time, those other teams and those other leaders But we come to them and say, hey, we've got a, potential incident here then and we need x y and z. They're responsive because we're not

08:47

in their mind crying Wolf. We are only doing that when we absolutely need to do it. And or hey, we wanna put this control in place and we wanna do this or we want you to fix this vulnerability by x amount of days and being willing to have that conversation about their priorities and what they've got going on and why this matters and just overall trying to be reasonable

09:13

about the security drills doubt. To be fair, this is also in a non regulatory environment that doesn't have laws and or the force of law with the regulatory demand that's forcing certain things. So we can be a little more flexible in the environment I'm in where a lot of places you're at or what you were doing they're very clear guidelines on our have the force of law, and people could get seriously fine or go to jail if this isn't followed.

09:37

So Those are also things too that we need to not burn our capital all the stuff that isn't that. So it's It's gonna odd way to say it, but you've got a mandate from leadership, but that mandate doesn't mean that people will want to work with you. And I know I just completely hijack this topic that I don't even know this is what you wanted to go down, but... No. It's exactly what I wanted to go down.

10:02

The and the other thing that I would say is, everything takes twice as long to get done in the real world then you think it will. And everything you think is it's easy. You just do XYZ. It's never you adjust do XYZ. And that's 1 thing that that I have some years on me at this point. And I I do a little better job of estimating from a lot of scars from previous attempts. At how long things will take.

10:31

And I think you've gotta account for though that Murky factor of things not that you're not expecting to go sideways going sideways and have a plant have an A b and C plan and have give yourself hold room. 1 thing that at a high performing fast acting, get things done, move fast, break things kind of company. And there's a lot of times I've been trying to nudge the culture a little more towards. Let's be a little more thoughtful. Let's be

10:58

a little bit slower. Let's be a able to more methodical and we'll have a better outcome. So you don't have 10 x engineers. You have 11 x engineers. Don't you? Try not to put a number on it because then make get sand bag down to that number. Well played. The other thing I would say is budget actually plays a part. And there are things that everything costs money, and everything costs time, people time, whatever it is.

11:25

So knowing that your best bang for the buck and not chasing the edge cases and not letting the perfect should be the enemy good enough. Is another area that I've spent a lot of time. Trying to get right and get that balance right of. Are we a better author you were before? Can we sustain what we put in place with some level of mastery and some level of competence, then we're moving in the right direction. Yeah.

11:50

Is it a perfect solve no? Can people find ways to get around this if they rail wanted to Yes, but doesn't move the bar the way we needed to move. Is it better than what we had and is it building a foundation we can grow off of then that's not a bad thing. What about you? You've had far higher level exposure and a lot bigger job than I've had the last couple of years. What are some of your big lessons larger takeaways? I've been thinking about a lot about where where the stars.

12:20

And you you will hit on something that was very interesting about about laws and regulations. And and certainly, where I was at there are a lot of regulations that apply globally. There's industry regulations. So for example, you might be a critical service provider for the financial or for the banking industry. So you may fall under banking regulations. You may also in in an another country qualify as critical infrastructure, and so then that countries critical infrastructure laws

12:58

come into play. And none. And these are all have the force of law, they can they can either find you. They... Typically, they won't throw you in jail, although we are starting to see a little bit that here in the Us with with some Scc related matters. Although I guess it'd be very interesting to see how that plays out with the Chevron doctrine and being no overturned. That's the whole other. That's other this discussion. He's a non political show, Jerry.

13:30

A whole, full other discussion. I'm, all I'm saying there is hold on to your butts. Hey. I actually pretty much expect you to go to Gym. I I lost that. You're. You're surprised. I'm still here. I'm happy ish. I just... It was a big bet paying that book off for a while. Put it all on prison. Alright. So you want an an interesting thing happens, especially in a, industry or in a business where you are a high profile service provider. You not only have these regulations and laws that are

14:03

at varying levels of prescription. You also have to attempt to show your customers that you're trustworthy and that that... Especially when you're a cloud provider, you can't have every customer coming out and auditing you. That that that just isn't a very... Scalable thing. And so you end up collecting all of these industry ad attest stations like soc 123 and iso and the many other high trust and and whatnot.

14:35

And the interesting thing that comes along with that is what I'll call the tension between compliance and security. Choose each... Because each of these programs have their own their own set of requirements. And in in some instances, they are quite pedantic.

14:57

They're not risk based. They're just they're pedantic and that they can have the effect of absorbing a lot of the organizational ability for implementing and and know, adopting new new security controls and new security processes, though they might not be the most impactful things. And so there's this tension between doing what lowers the risk the most the fastest and most economically versus the need force the need to meet some compliance mandate so that you can woo new customers.

15:38

Now, certainly, they're tangent related. And what I found worked best. I'm not gonna say that I was like a master at it trying to find opportunities to take those compliance mandates and use them in further of actually improving security. There's a I think a bit of an art form there. But in some instances, you just not... There's just not a a good fit. 1 of my observations is that a lot of the regulations.

16:07

Even those that are applicable to cloud providers are really not contemplating the kinds of things that you need to do to secure yourself from modern threats and you as a business, you need to be off investing in novel things to address these emerging threats. But meanwhile, you've got people still wanting you to show that you have D. For example. So so the threat is all past it, but your your resources are getting chewed up. Fighting the last war.

16:41

And once the regulators put that require in replace, they are loa to ever take it out. Exactly. I would rip off that a little bit too and say that having worked at a credit card focused financial in the past. Pci was, of course, the bread and butter there. And you could get anything done if it was under the guise of it must be done for Pci. But you couldn't get folks to go and inch past it. That was their benchmark. And it was a double edged sword. Right?

17:11

You had a lot of buy in and cooperation to reach that Pci benchmark. But now you'd that came your limiting factor in terms of going beyond to address new and different threats that are emerging far faster, than I think the regulatory bodies can keep up with. Right. Yeah. The, you know, the management team wants to know, why do we need to spend this x millions of dollars or what have you? On this new thing. Nobody is asking for it. Why do we need? And this this

17:42

is always the challenge we've had. It's proving the Roi security tooling. Or secure whatever it is, not tooling security stuff of, how do you prove the breaches you avoided it? How do you approve the the security? You improve to avoid an outcome. Yeah And that has always been a problem. Yes. How many how many planes did the Tsa save? That's a very difficult number. The count you can estimate. So that was that was an interest interesting challenge. And Kinda dovetail tailed into you talked

18:10

about the budget woes. There is only so much money. To go around. No. I will say, my former employer was... They took security very seriously, and in most instances put their money where their mouth was. So it wasn't I I think I was quite fortunate in some instances because, like, security was part of the brand they were... Selling, and so there was a lot of interest in making sure that we were secure. Having said that, like, never at least perfect, but that was good.

18:39

Another thing that I I noticed by the way. And I think this is probably an artifact of larger older organizations is the importance of standardization. And I don't mean that in necessarily a security context. S standardization. Not everybody has their own bespoke linux build on everybody's individual server.

19:02

So Yeah. 1 of the challenges that can arise, especially in a organization that wants to move fast is the tendency to to allow what I'll call, you know, entrepreneurship in in terms of designing and building services and and whatnot. Challenges, you know, you can gain a lot of speed by doing that. But 1 of the downsides that you will run into is what when you want to do something new when you need to make some material change you end up not having to do it

19:38

once. You have to do it once for each different platform that you've allowed to creep into your environment. And that is a challenge. And most of the different technologies have their own management, instrumentation management platforms. And so you get the spot where you've stretched yourself very thin, and it it can be difficult to do something that seems like it should be fast and easy. Is that also tied to tech tech debt and old stuff that isn't taken out of the environment or retired or...

20:13

Yeah. I I definitely think so, but I think there's also an... I think there's also AAA pattern where you can be for lack of a better word real time acc new tech debt. Because everything, like, everything that's different. Takes that much more energy and lines share to manage and process differently than what you have before. Exactly. Because so isn't that sort of at odds with innovation? Yep. It is. I once... I I suspect probably talked about it. On the show, but it's been a long time.

20:49

I once remember hearing the story about the Piano and how there there was an opportunity to build an instrument that More or less had an infinitely variable set of tones and pitches. The designers of the piano chose to have 88 keys and some pedals and whatnot. And 1 of the assertion is that the that limiting factor actually allowed for you know, innovation, like, re significant innovation from the music perspective. Right? So the the assertion was that it... If a composer and a Pianist

21:32

had, and I said it right. But I pointed that out, had an an infinitely variable keyboard as it were be more difficult to write music. And so I think it's... So the answer to your question is certainly Yes, it can. But on the other end of the spectrum, allowing non standardization ends up becoming a drag on the system, which then takes away from your ability to invest in new and new innovation. If you look at it in a micro and say, for this specific service, or or offering or product or what have

22:16

you. If you try to apply some rigorous set of standards. Yeah. You're gonna... It's gonna take longer, the the Developers are not gonna like it, but in aggregate, I think you end up. He end up spending a lot less money atlas resources, managing things that you can then apply to new new products. And then also, when you wanna go and get into some new market that requires some new new securities, controls, it's more manageable to do because now you you have a much smaller number of platforms

22:57

to change. So that was a that was an observation that I made that I didn't really have at the top of my mind going into it. Yeah. No. It's interesting. I... It has a lot of implications. Like, I I could spin down that that router forbid it in terms of, how do you manage it that to you? If you need to iterate to a new

23:20

standard, do you bring everything with you? And does that mean that the benefit of whatever it is he wanna go to the news standard has got to be substantial enough to justify the disruption at cost? And again, does that slow down your innovation? Or is it just constrained folks to, hey, here's the set of tools to work with. You could build a lot with these tools. It's it's 1 of those things that is much easier to avoid than it is to fix.

23:46

Yeah. For sure. I... The best advice I can give is to is to create some enable around adopting standards you standardize whatever's, and then draw a line in the sand, and then, obviously, support those businesses when they go and complain for additional money. And then what about iterating those standards or how often would you change her? I think that they have to be written a little

24:12

bit so that they're somewhat enduring. So if you think about, like, down at the operating system level, you have to be thinking about it more as n minus 1 n minus 2, n minus y. For others, I I don't have a of a good a good answer, other than it has to keep pace. So as an example, when you're a a cloud provider, like, Api keys or everything. And so like, you've gotta stay on top of the latest trends on how best to manage those.

24:44

But in other instances like multi factor authentication, there's not a lot of new stuff happening there. Yeah. Makes sense. Makes sense. It's... Boy that's an interesting challenge though, but I can see the value. That's 1 thing I I try to have is don't have a ton of tools environment that we don't understand and don't know. Have mastery

25:06

over over the tools we have. And the more tools and the more different tools and the more different environments the harder that is and the unless somebody knows when something's weird or out of normal rage because they don't know what normal is because everything's different. All the tone. You know. Makes sense. Absolutely. To you you stretch yourself thin. Right? It's to some extent, it's a 0 sum game. And so, you know, you support all those various tools at at the business detriment.

25:38

So it's almost like the context switching cost in a multitasking situation. Of, mh. Your brain has a switch okay. I'm supporting this. Now... Okay. What's differing than this and this is weirder, and this is a bit nuanced and... Yeah. Yeah. Makes sense. Yeah. But that, I can see how that would be a tough argument because that's such a long term view that is not intuitive I think to a lot of executives. Yeah. It takes... I think it takes a lot of strong leadership, I guess is what I'll see.

26:08

So blackmail material is what I'm mean. I strong leadership Black. The line is results were? What is Lori results are achieved? That's. That's right. I... I'm pretty sure I read that in a management book similar. So what other key lessons do you think he he? So you know, what 1 thing that leaves to talk a lot about was the importance of I'll just... Para phrase and saying that It people and to to some extent, security people need to have a bit of an serial mindset.

26:38

In the past, I worked on many security incidents, and I got to say what... You caused them? Not that anybody can prove. Sure. They're you involved with. Yes. They were... They happened in my proximity. What's sure. Check got you point, sir. So my observation was in the aftermath of those to some extent senses. People don't really realize and and I buy people a smart It people don't realize how things can go wrong. And and I think it in many instances

27:19

it's due to a lack of creativity. And and I don't mean that in a pro way, F f It architect designing some system. Your challenge is to build the system that works. The the challenges, you don't necessarily know how the thing you're building can fail. And I found it extraordinarily important.

27:41

And again, the business was super supportive in this that have a strong strong component around pen testing and trying to infuse that thought process, not just in in the security function, but even, you know, more broadly across the organization, Because again, that these... I with a trope, Right? The sick security starts with the people.

28:06

And Yeah. When you've got people developing things, like, you you have an opportunity for people to know, design it securely versus insecure, and you really want them to hopefully get off on the right foot. So I found that to be very very important, very helpful, and I think it reduced some of the churn later in the process. So that was good. Yeah. That makes a lot of sense.

28:34

My Only sort of thought on that is occasional I get into situations where you've got a developer or It person or whatever, asking Security to prune, how something could be exploited. Yeah. Which is an interesting question, but I think it put security folks in a rough spot because it's basically saying that's the security team or or what don needs to know everything the bad guys could do. They gotta be as creative as any bad guy to prove to whomever their

29:09

working with that. That this exploit could happen as opposed to learning best practice patterns that we know avoid possible, yet un unfavorable. That is 1 of the 1 of the the benefits of having what I would consider to be world renowned testers on my staff, which I know that not everybody. Not everybody has that luxury. And so you're to that point. I think you're spot on. I think broadly speaking, pen testing is you know, very vital part of a responsible security program.

29:45

Though III recognize not everybody can't afford it. In in instances like that, I... My my takeaway would be, oh, like, if you're gonna if you're gonna go to go to bat like that, then we'll see what the... When we do our annual pent test. We'll see what it comes back with. But beyond that, it can be an exhausting exhausting fight, which leads me to my next observation, which is actually burnout out. Yeah. It's real.

30:16

Yeah. And so, look, when you've got an organization, you know, especially a technology organization. And I think it's not different than what you said like, you've got the the entire organization believes they know how to do your job better than you. Generally speaking, they may not admit it. They may not say it in those words, but when push comes to shove, they are they're smart people. And so they have a particular view on things, and I think it's also...

30:48

That view is also, typically colored by what their business priorities are. Yeah. What are their incentives? What are they judged on? What are they being asked to do? This you, and so it's that that con constant. I've I struggled with the burnout felt like since the start. And by the way, the... It's not necessarily a reflection of

31:13

the business or the job. It's really more, I think of a a reflection of my ability to cope and to to I wanna say behave what's to to manage things in a way that would have avoided burnout, but it was... I I definitely felt it and it's not pretty. I think it's very common

31:34

in the industry by the way. And I suspect that at some point in the future, and I don't mean in any way to downplay people who have actual Ptsd from actual traumatic events but I suspect in the future, we're gonna find some kind of variant of Ptsd for some segment of technology workers. Yeah. How admit that I am fighting burnout on myself right now. And I'd... Again, I don't blame the job, but Don't blame like, it's on a toxic place and

32:06

the b bottle were with the grade. It's just un finding it harder and harder to disconnect and recharge. And have the same level of energy, and it takes more discipline to to do the job but before it was a little more effortless. It was a little more. There was feel that I'm fighting burnout with everything that is normally was either fine or even enjoyable is now a bit of a s to get through. And I don't think that's a reflection on the tasks, I think it's a reflection on

32:42

me. And to your point, yeah, there may be better techniques I could learn or ways I could cope better or manage that stress better. And And then I also wonder Maybe there's only just so much time that a certain type of person if I take myself as an example, can do a certain job before you start to burn out, and there's it's somewhat unavoidable and you've gotta take a break or do something different?

33:08

I don't know. There's looked that I don't mean that my job or your job or Ex job is among the most stressful. There are. There was a recent study about the top stressful jobs, and I don't think we made the top 10. No. But it's an individual thing though. It is an individual thing, and my personality is my personality. And I can read books all day long about how to be more resilient and I can I can do all those things and they marginally helped? By the way, I did that.

33:38

I I went to therapy. I I read the books and it did help. But at the end of the day, it I I think it's... There I think there's... There may be a compatibility problem or maybe it's just the demands of that job and in the the keep capabilities if my part are just not con congruent, they don't line up Yeah. Do you think it is that simple that certain people will be more successful than others, or is it a time and seat problem or is it a the demands of technology or moving so fast?

34:14

That most people were run into this prom after a period of time. That's a really good question. Things that I had... So I do I do wanna stop and say, the the business I was in was amazing. The people I worked with were amazing. The team I led, I think was among the best in the world. Like, they are phenomenal. And 1 of the 1 of the things that happened, I I left last week. And so last week was

34:46

been emotional thing for me. I had been with Ibm for 18 years, and I was with other companies that had been acquired by the same company for 7 years before that. So 25 years all total. And so III had lots of friends. And and 1 of the interesting things that I heard as people were you doing their normal given the speech thing was how technical I was. And it led me to start thinking, like, Is that, maybe that's a problem.

35:15

Because I hear a lot about... I hear a lot of It people or security people complain about how their Cis is not technical. And and maybe technical technicalities or the, you know, tech level of technical prowess is not the right parameter, but I think maybe it's more not getting too far into the details. Yeah. Is where I went wrong. So if you're less technical you're forced by default to abstract further from the details? Yes. That's, a very short way of saying what

35:49

I took 2 minutes to say. I'm just reflecting back to you what I heard. So you... It was your idea. I'm just trying to be a good c hosting. You nailed it. That was perfect. I think it's true. I think there's a benefit and a cost. And I think look we were talking about everything has budget. And I think if your brain is highly technical, that uses a budget from other skills and other capabilities,

36:17

and it could be how we default. And 1 thing I've seen over and over my career, is that we take technical people and reward them in leadership roles, but without preparing them in any way for the different skill set that requires. Like, you're good at managing the firewall. Go be the firewall manager. That's a whole different thing. And didn't you didn't do rate at that. How about being how about managing the whole department?

36:39

And this is a whole another huge topic we could un unravel, but I don't know. I think Burnout out a really tough problem, and I think it's very individual, and I think I sometimes wonder if once you get to a certain level Things are moving so much that you almost have to not care as much as you used to or your drive yourself insane.

37:04

I think so. I absolutely think so. And throughout my career, I look back at a lot of the executives that were either peers or above me, and I've often, you know, Asked thought about how it feels like many of them are somewhere on the soc path scale. And I'm not sure that they are actually soc pass as much as they've developed coping mechanisms, they give that appearance. And it's a good thing They're not doing your reviews any longer.

37:38

I was, of course, not talking about any of my current or... I guess they're all former. I I had really great leadership that was super supportive. I think I was probably in 1 of the most unique spots ever, at least that I know of where where security was such an a core

37:57

component. Which by the way, is a good and a bad thing because on on the plus side, the whole business spins on that axis and they take it very seriously on the other hand, but you have just pan out the con of ice staring at you from everywhere. It's a tough gig? Was was an interesting challenge, and I obviously, I wish them well. I think they're I think they're great bunch of people. And it's an interesting time by the way, in the for cloud providers generally, starting to see some,

38:30

I don't say backlash. But you're starting to see some people's or companies starting to see the the polish wearing off on Yeah cloud. And so I think we're gonna see more of that. And cloud will, you know, we'll find its niche in the market, and I don't know obviously, I have opinions on what that will look like. But in in aggregate, I don't know exactly where it's gonna land. Certainly, we're still in that heyday right now.

39:02

Yeah. It's interesting. And obviously, as soon as we start to get 1 thing figured out something like Ai shows up and is highly disruptive. Oh, my god. Yes. And everybody and their brother sells you get anything gotta now include Ai and it whether you want it or not. And it it is 1 of the most impressive, rapid shifts in a market that I have seen in my career, and I don't know if it's real. Or or if we are soon to enter the trough diff... Dis as the Ga cycle would have us belief.

39:40

And this is by the way, this is this is something that is really often the the debate, especially like on on on mastodon or the federer Right? There's a lot of poo poo of Ai, and I think you're starting to see some of the industry analysts talking about how Ai might may not be able to lead up, meet its pretty high expectations. And I think this Probably, if you can contrast it with some of the other bubbles like blockchain.

40:11

I see a lot of people comparing Ai to blockchain, and I think that's the wrong the wrong thing. Like, blockchain was always gonna be a y honor. Right? It was... It just happen to be... At the right places already time to get a bunch of hype around it. But I think if you look at Ai, like, there's a lot of actual productive Yep. And oh, lot. I don't mean, like, here and there. Oh, lot.

40:39

Of productive use of Ai. I think where I think where what is going to fall apart is this notion that everything has to have Ai in it. I think that's the thing that's gonna probably fall by the way, wayside. And and I think the term will get so diluted. Not all Ai is equal. Correct. Now we've countless different models that are meant to do different things and So just saying we have Ai could be. You've got a bunch of if then scripts. I don't know.

41:07

Doesn't mean much to me. What Ai? I think we're going to find effective Ai for effective techniques. The other thing I would say is this feels much more like a very fast version of the migration of businesses to the web in the late nineties. Yeah. I was gonna say cloud, but I think that's... I think that's probably a better analogy. I think... Yeah. Because it feels like every single vendor is now, if there's some sort of It or security vendor is now

41:38

having to include it. It's it's wild. I I'll tell you the other thing is, watch like the gold rest the people get got rich off the gold rush not the gold miners. They're 1 selling the shovel, and we're seeing that right now too. Yeah. Nvidia. Oh, it's. Has that shovel factory going overdrive? Oh, that is for easy. Let me ask you this and I don't know how many more key lessons you have. But what question I did wanna ask was if you could go back and tell you're you're earlier yourself.

42:05

Something or a couple of some things before you started the Cis gig. What would you tell yourself? Don't is not an answer. No. I I actually look, I I'm happy that I took it took the job. I had... I'm happy that it happened. I'm happy that I'm got to meet all the people. I'm happy with the things that I accomplished. I'm not happy about the things I didn't accomplish But I think it would be... I think it would be to to delegate more. Mh Number 1. I think it would be to

42:42

not get into the details. And maybe that's a a flavor of delegation Look, at my... My IIII led a team of approximately 200 direct people and and 6 hundreds more. It's a it was a big it's a big operation. Right with lots of moving parts. And I think I let myself get get sucked into the machine. I get sucked into the engine. As it were And and so I think my comments to my former self would be to to not let that happen. And and I I don't know how it's this 1 of that's another 1 of

43:25

those things. It's, yet. Again, easy to sit here and say, but I actually don't know exactly how knowing myself like, I don't know how I would do that. Your attention to detail and technical skills are what got you there. So naturally, you you you feel comfortable continuing that same technique because that's what has led to your success to that point. Right. Yes. Let's see what else did I have on my list here. Oh, so similar little late... Couple layers down deeper.

43:57

An observation I have is holy god is the firewall market a disaster. You might have to expand the 9 of 10. So I know that we haven't been here to talk about it, but it... There has been an absolute express freight train of amazingly bad security vulnerabilities in fire in firewalls. Yeah. You know, and it's be falling almost all, I can't think of a big name that hasn't had, you know, big... Like, even checkpoint made the hip parade in the past couple of weeks.

44:34

They hadn't somehow evade it, but Palo Alto and citrix and f 5 that they've all been just brutal. And I think by the way, the consumers of them take it a step further and often shed themselves in the foot by putting, in what what a a lot of the times not exclusively, but a lot of the times these vulnerabilities exist in the the management interface? Mh. And so, like, why is the management interface on the internet? Because it's easier because easy.

45:10

And there was 1 vendor by the way that in their in their default like their low tier consumption model, the default was that it was like it was exposed to the Internet. But it wasn't until you bought their p tier, a service or package that it was behind the the firewall. That that is a source of much cons constellation with many vendors right now that they are.

45:37

Many people feel that Important security tooling or logging or visibility or control shouldn't be behind a more expensive tier of the surface your product you're buying. And we have heard a whole lot of that lately, including Microsoft's massive over 3 65 breach and how complicated that was because of the key logs and indicators of compromise whatnot. We're not available to every customer because of the tier of the service they bought. I'm massively overs simplifying that. I know. But it's...

46:08

Yeah... It's a rough, But I'd also say that. I almost wanna point a little bit of blame at the cloud providers who have built this concept of Internet facing first. For a lot of folks who are learning It for the first time in the cloud environment. The concept of a secured data center behind a firewall.

46:28

It's an old concept now. And so we we've heard this phrase that the perimeter is disappearing and everything is your attack surface I think that sounds great on the top of research paper or marketing slug, but it's not hundred percent true. If you can get something off the internet, you'll dramatically reduce your calm attack service that the random scanner coming from China is gonna hit and gotta work a lot harder for it. But I do think we've lost that concept of...

47:06

I know we're old for agent. I get that. But in the early days, exposing some of the Internet, was a big freaking deal, and that one's not. Now it's common every day, no big deal. And that's Fo, if you asked me. Now, certainly, some of these are remote access. Some of these are firewalls so like you... They're meant to be exposed to. So you can't really avoid that. But to your point on the management side, or the management plane. Yeah. Come on. What why are you trusting?

47:37

That interface is always gonna be so rock solid. I think there's I I think there's this assumption that it it's a product from a security company. Therefore, it's secure. And I think we both know I think we both know from personal experience. It's, know, almost like exactly opposite. So... I... Have all my end nda expired? Or can I tell these stories yet? I wouldn't would not I would not trust that. Not id. It is a... It's wrong headed.

48:10

At it to be fairly. They're doing the best they can with the resources constraints everything else they're dealing with all their are different external and factors that are applying him nobody's mean to be malicious or dumb or bad. This is a full contact sport, man. Yeah. Absolutely. And by the way, we've seen the, in many instances, the Vpn the Vpn listener are actually being exploit so it's not... It's not exclusively these management consoles,

48:41

but they're a common common problem. If you get those, get them off the kid off the Internet, save yourself, some pain for sure. Maybe I a show coming up, we can dig deeper into this because that it's a whole. Okay. You've been exploit in? Do you brick that piece of hardware? Can you ever trust it again? So there was an interesting case couple of months ago with... I think it was Palo alto. And Prince was Palo alto where

49:12

They had... They published a 0 day or the that was 0 day Or, the post fix for our vulnerability, when then it came out that it had been exploited. And they said if you have if you have this particular setting turned on, then you're not vulnerable and it's okay. And then a couple days later, they came back, and said, we were wrong, it that setting wasn't enough to protect you. And by the way, it is being exploited. But here's what you wanted it. Here's

49:38

the thing that you need to do. And I think they did that Like 3 or 4 times, they they retracted what they previously said was keeping you safe. And then they were also at at some point saying this is what you need to do if your system had been compromised. Here's how to clean it. And then eventually, I I think they got to the point where I don't know that you can actually fix it yourself. And Some of that is Fog war. Right? Some of that is just competent

50:09

investigations. There's I don't put throw are too many stones. I live in a glass of house, but it's a tough situation. No. It's... I think it's not... It doesn't... It didn't mean that it's a pile on to palo Alto just that this is a it's a challenging landscape because the end of the day, something for us as It people to have a functioning environment, something almost certainly has to touch... You touch the Internet and that typically a firewall.

50:40

We can't have risk 0 Right? We have to do business, and that's going to have risk involved. We forgot our disclaimer by the way, at least I did that all these thoughts and opinions did not reflect our employers. You're an unemployed bump. So do not reflect my my previous or feature employee. Put the at the top of show good for you again. I'm being very careful not to say anything that is

51:06

confidential about my current employer. And as I would with any employer and previous employer because I think that's just not very professional. But we try to take some abstraction from these roles and talk to them. So I'm always trying to walk that careful balance between giving valuable useful information without disclosing confidential information that I'm not supposed to disclose.

51:28

So all that being said, 1 of the things that I think is important is having a good bench and skill set to be able to react to vulnerabilities your product when they're disclosed. It's and yes. Because it will happen... Like, there is no vulnerability free way of doing this. Sorry to report. And it maybe be it's ton of things you can't control. You may have thousands of third party dependencies You have no control over that you... Nobody can codes everything from scratch.

52:03

You could do your best to audit, mh, We've got an open Ssh vulnerability outright out right now that is a remote codecs point against the Ssh listener that is open to the Internet. There's some caveat there that make a little harder, and it's probably not easily exploit able to know us people, But that's a really scary big library that most people are using, including in their tool with a full Rc for root On a port that's meant to be open to you.

52:34

Sure. There are ways in this case, you could probably figure out if a vendor had done XYZ wanna to run a more securely and this but that their concept stands, but these things are gonna happen and as more how do you deal with them quickly and rapidly and with credibility when they do it. Hundred percent. And And mean I I would also say it's think it's about a attack surface reduction. And open ssl or open should say.

53:05

Is was often exposed to the Internet. I can't won't even venture how many millions of endpoints have that exposed, Like, not every server in your environment needs to have us open port exposed to the internet. It's true. Rd is much better choice. But V c or hey, let's just go full team viewer. Sure. The good news is you're gonna have a lot of undocumented admins helping you run your stuff. That's true. And think of all those extra backups you'll have.

53:38

Oh, I feel like we're going long. What any other key lessons that we wanna throw into this episode. It would sum up the the last 4 years. Is security is hard. It's not a It's not for the week of the week of heart. I can definitely say that. It's been an amazing experience. I mean, like, super happy that it happened. And... But I... I'm ready for a a break now, and then I'll get back on the horse That's fair. Do you know what you're doing next? I don't know.

54:13

I don't know. I would like to do some sort of Know, something more independent. Obviously, if the offer is right, currently unemployed, there's no money rolling into my bank account right now. So I'll be I'll be entertaining whatever, but it'll have to be... I think it'll... I'm gonna be more selective about what I do next. I'm hoping to find some something that allows me to spend more time on more personal hobbies like podcasting and running info that exchange and all its friends and

54:48

photography and that sort of thing. My family. I think you certainly earned. Yes. Thank you. And I think we'll cut it here. So I'm gonna say thank you to to all of the listeners who still have us in your Rs feed. Like who be interesting to see how many people? I don't think we're gonna make a lot of hay about this. I'm curious to see how many people notice. But. I'm pretty sure there's a few mental awards that still have us few Cia of black sites that are probably using us for punishment.

55:23

At Git probably looking for some new material. They're probably getting tired of same old episodes. It's true. But, hey, if you like us and you used to like us, tell your French. That's right. We would love to to get our listener base back. We're still playing to be completely sponsor free. We're still planning to be completely independent with no nobody influencing our editorial and giving you our raw un Truth for whatever it's worth and probably exactly what you bay for it. Right

55:53

definitely appreciate you. Hope this was in some way useful to you. It was certainly cath pathetic for me. And I think we'll be on a more more normal format next time. Excellent. So with that, we'll talk again next time. In the meantime, you can follow mister Ke? I am on x slash twitter at l g and on mastodon on Jerry's fine, sir, Out of strange also ed at, LERG. And you can find me. I've all but abandon XII just... I can't anymore. But I spent all my time now on on the Fe. It's jerry

56:37

at info sector dot exchange. So look forward to talking to you again soon. Have a great week, everybody. Thanks, guys. Bye. Bye.

Transcript source: Provided by creator in RSS feed: download file

Episode description

Transcript