SEC.co Podcast

Eric Lamanna
  • 0.0 (0)
  • Technology

A podcast about latest trends, techniques and learnings in cybersecurity and cyberdefense.

Episodes

  1. 1d ago

    AI vs. AI: Machine Learning as Both Cyber Weapon and Shield

    Cybersecurity has entered a new era defined not by individual hackers or static malware, but by artificial intelligence fighting artificial intelligence at a scale and speed no human team can match alone. This episode of Cybersecurity examines the double-edged nature of machine learning — drawing on this six-minute deep dive into how ML is both a cybersecurity threat and a solution — to map out exactly how the same technology is being weaponized by attackers and deployed by defenders simultaneously. The episode covers both sides of this algorithmic arms race in depth, including: AI-powered phishing at a new level of sophistication — large language models now craft spear-phishing emails so contextually precise and grammatically polished that even experienced security professionals are fooled.Voice cloning as a financial threat — documented cases show employees authorizing wire transfers after receiving AI-generated audio impersonating their own CEO in real time.Self-learning, adaptive malware — modern polymorphic malware goes beyond changing its signature; it analyzes the defensive environment it lands in and rewrites its own behavior to evade detection dynamically.Behavioral anomaly detection replacing signature-based antivirus — instead of matching known threats, AI-driven defenses now baseline normal activity and surface deviations before attacks reach their final stage.The blind spots defenders can't ignore — adversarial machine learning techniques can manipulate AI models into misclassifying malicious code as clean, and models trained on historical data will always have gaps against genuinely novel threats.What good AI-augmented security actually looks like — the most resilient organizations treat AI as a force multiplier for human analysts, prioritize explainability in their models, and maintain layered defenses rather than relying on any single technology.The episode resists easy conclusions about who is "winning" the arms race, arguing instead that both attacker and defender capabilities are advancing in lockstep — and that overconfidence in automated defenses may create a false sense of security more dangerous than no security at all. For listeners who want to go deeper on how attackers manipulate AI systems themselves, the earlier episode Adversarial Machine Learning: How Attackers Are Breaking AI pairs directly with this one. SEC

    8 min

  2. 2d ago

    Adversarial Machine Learning: How Attackers Are Breaking AI

    Machine learning models power some of the most sensitive decisions in modern security — from malware detection to fraud prevention to autonomous systems. But beneath the surface, these models carry a structural fragility that attackers are actively learning to exploit. This episode of Cybersecurity explores adversarial machine learning: the growing discipline of deliberately manipulating AI systems to produce wrong answers, often without leaving any visible trace. The discussion draws on the adversarial ML attack and defense breakdown published by SEC. The episode covers the core mechanics of why AI is uniquely vulnerable, then walks through the major attack categories defenders need to understand: Why AI is structurally fragile: Machine learning models are statistical pattern-matchers, not reasoners — a fact that makes them susceptible to targeted manipulations that wouldn't fool any human observer. Evasion attacks: Crafted inputs delivered at inference time that cause misclassification, such as subtly altered malware samples that slip past AI-powered scanners or perturbed images that defeat facial recognition. Poisoning attacks: Malicious data injected into training pipelines before a model is ever deployed, causing it to learn the wrong patterns in ways that are hard to detect and deliberately targeted. Model inversion and extraction: Techniques that use a model's own outputs against it — either to reconstruct sensitive data from the training set or to steal a near-identical copy of the model through repeated querying alone. The defender's dilemma: Why adversarial training, runtime detection filters, and other current defenses help but don't solve the problem — and why attackers hold a structural asymmetry advantage for now. A realistic security posture: Layered defenses, careful training-data validation, skepticism toward model confidence scores, and mandatory human oversight for high-stakes decisions. The episode closes with a frank assessment of where the field stands: models are being deployed faster than defenses are maturing, and the right default assumption for any security-critical AI deployment is fragility, not trust. Traditional software security techniques don't map cleanly onto machine learning systems — this threat requires a fundamentally different mindset. SEC

    8 min

  3. May 30

    Bare Metal Backdoors: Detecting Persistent Firmware-Level Implants

    Firmware-level implants represent one of the most persistent and difficult-to-detect threats in modern cybersecurity. In this episode, we break down a recent deep dive from the SEC.co cybersecurity blog — specifically the analysis titled Bare Metal Backdoors: Detecting Persistent Firmware-Level Implants — exploring how adversaries plant code beneath the operating system and what defenders can do to find it. Firmware lives below the OS and often below the hypervisor, which means conventional endpoint detection tools never see the earliest stages of an attack. Implants at this layer can patch the boot process, hook option ROMs, or alter device initialization so that malicious code loads before any security agent is active. Persistence comes from storage like SPI flash, nonvolatile variables, management controller images, or peripheral firmware — all of which survive operating system reinstalls and standard reimaging procedures. Because many organizations treat firmware updates as rare maintenance events, unauthorized changes at this layer blend seamlessly into normal operations. The threat landscape at the silicon layer is especially attractive to sophisticated adversaries. It offers preboot execution, early memory control, and the ability to subvert trust anchors that all higher software assumes are honest. Targets include UEFI components, trusted platform modules, system management mode handlers, and the code running inside network and storage devices. Many organizations lack even a basic inventory of firmware versions across their fleet, which means they cannot answer fundamental questions about what should be present on any given machine — giving implants room to operate undetected for months or years. Detection starts with building a gold baseline. This means creating a detailed, component-level firmware inventory that captures the boot chain from the reset vector through early initialization, bootloaders, and into the first moments of the kernel. The baseline should record firmware regions, vendor identifiers, capsule signatures, expected register values, and configuration flags that influence secure boot decisions. These measurements should be stored in an attestation service bound to hardware roots of trust, so that any deviation from the expected state becomes immediately visible rather than something discovered during an incident six months later. Instrumentation is critical because you cannot defend what you cannot measure. Tools that compute hashes of firmware volumes and device ROMs — independent of the operating system — are essential, since a compromised OS cannot be trusted to report honestly about the layers beneath it. Boot auditing and TPM event logs allow defenders to compare what actually happened during startup with what the baseline says should have happened. Serial console captures from bare-metal provisioning often reveal pauses, retries, or anomalies that polished dashboards miss entirely. Memory forensics taken immediately after boot can expose hooks in System Management Mode or altered page tables that bridge into kernel space. Indicators of compromise at the firmware layer include mismatched firmware hashes, unexpected changes to TPM platform configuration registers, unusual preboot delays, devices that initialize twice, altered option ROM sizes, sudden Secure Boot validation failures, and repeated rollback attempts. When a system claims to have passed measured boot but the evidence tells a different story, that discrepancy demands immediate investigation. However, false positives are a real challenge — vendors sometimes change signing keys or region layouts in routine updates, so defenders need to track expected divergences per hardware model and add context like known update tickets to their alerting pipeline. Supply chain hygiene is equally important. Trust begins before a server is racked or a laptop is unboxed. Procurement criteria should include signed firmware, reproducible builds, a documented update cadence, and responsive vendor security contacts. Maintaining a component-level software bill of materials for firmware allows organizations to evaluate their exposure when new vulnerabilities emerge — based on data rather than guesswork. Team workflows matter too: platform engineers and security teams need shared dashboards, shared vocabulary for boot stages, and on-call rotations that include people fluent in boot logs and preboot diagnostics. When a suspicious implant is discovered, the response protocol differs significantly from standard incident response. The device should be quarantined at the hardware boundary — including management interfaces like IPMI or BMC that could be used for reflashing or command-and-control communication. Evidence preservation means dumping firmware regions, event logs, and early boot traces before any remediation alters the state needed for forensic analysis. Only after thorough evidence collection should reflashing or reimaging occur, and even then the subsequent boot cycle must be monitored closely to confirm the implant has been fully removed. The bottom line is that firmware-level threats exploit the widest visibility gap in most security programs. Organizations that invest in firmware inventories, baseline attestation, preboot instrumentation, and supply chain rigor dramatically reduce the risk that a silent implant will take up permanent residence in their infrastructure. For the full technical breakdown, read the complete analysis on SEC.co.

    9 min

  4. May 22

    Cloud Egress Control: Policy-as-Code Best Practices for Cybersecurity Teams

    Episode summary: Cloud runtimes are noisy neighbors. They spin up, scale out, pull containers in the middle of the night, and sometimes try to befriend the entire internet. Every outbound request is a potential exfiltration lane, a misrouted secret, or a compliance liability. In this episode, we take the SEC.co article "Cloud Egress Control Best Practices: Policy-as-Code" and expand it into a comprehensive discussion of why controlling outbound traffic in cloud environments is far harder than it looks on a whiteboard — and how policy-as-code gives cybersecurity and platform engineering teams a practical, scalable, and auditable way to solve it. For anyone responsible for cloud security, infrastructure operations, or compliance, egress control represents one of the most deceptively complex challenges in modern environments. The traditional approach — a short allow list, a few port restrictions, and a confident nod from audit — breaks down quickly in the face of dynamic, modular, container-based workloads that call third-party APIs, fetch ephemeral images, and make constant outbound connections as part of normal operation. This episode explains why that complexity demands a fundamentally different approach, one built on identity-bound policies expressed in code rather than fragile IP-based firewall rules managed through spreadsheets and GUIs. Why this matters now Cloud adoption has reached the point where most enterprise workloads run in dynamic, elastic environments. But security practices around outbound traffic often lag behind, still relying on static IP allow lists, centralized network appliances, and policies that only a handful of specialists can understand. That gap is an invitation to attackers, who know that if they can compromise a workload, unrestricted egress gives them a free highway to exfiltrate data to any destination on the internet. This episode addresses that gap directly with principles, practices, and implementation guidance that security and platform teams can apply immediately. What this episode covers The three traps of egress control: Why binding rules to infrastructure details that rot, centralizing every decision in a single network box, and writing policies only specialists can read all undermine security programs regardless of how well-intentioned they are.Four principles for policy-as-code egress: Encoding intent instead of just syntax, using identity as the primary key instead of IP addresses, building allow lists with managed exception workflows, and keeping policies readable and testable by developers.The golden path for traffic control: How to segment workloads by runtime context, tie DNS validation, TLS verification, and routing together into a layered defense, and centralize observability without creating a chokepoint for change management.A real-world scenario: How identity-bound egress policy protects a payment processing microservice by allowing exactly two approved outbound destinations and blocking everything else, including command-and-control communication from a compromised container.Treating egress points as products: Why your gateways, NATs, and proxies deserve owners, SLOs, and published contracts — and how productizing the egress layer improves reliability and catches configuration drift early.Developer experience: How to bake policy validation into CI pipelines, surface human-friendly error messages, and create fast exception workflows so that developers do the right thing because it is the easy thing.Allow list design with precision: Favoring DNS names over IP addresses, scoping rules by purpose and data classification, and expiring access like perishables so allow lists never become museums of forgotten exceptions.Proving control to auditors: Making every policy decision explainable with traceable reasoning, measuring with outcome-oriented metrics that demonstrate actual risk reduction, and maintaining break-glass override procedures for emergency scenarios.Incident response advantage: How proper egress control limits blast radius during security incidents and gives response teams the forensic evidence needed to understand what happened quickly and accurately.Implementation roadmap: A step-by-step approach to adopting policy-as-code egress control, from auditing current egress patterns through expanding enforcement methodically across workloads.Key themes Identity-bound policies that travel with workloads instead of breaking when pods scale or migrate.Developer-tested rules expressed in formats engineers already know, with unit tests and local validation.Managed exception workflows that kill shadow networking without slowing delivery.Outcome-oriented metrics that demonstrate actual security improvement, not just policy count.Controls as acts of care — protecting data, reducing drama, and earning respect through clear rules and humane tooling.Practical takeaways for listeners: Listeners will leave with a clear framework for evaluating and improving their organization's egress control posture. The episode provides specific guidance on choosing policy engines, structuring allow lists, building developer-friendly workflows, designing audit-ready logging, and measuring program effectiveness. Whether you are starting from scratch or improving an existing program, the principles and implementation steps covered in this episode offer a practical path forward. The core message is straightforward: egress control is not a magic firewall in the sky. It is a set of deliberate choices that tie identity to intent, wrap that intent in readable policies, and route traffic through trusted paths. The fewer mysteries you leave in outbound traffic, the fewer surprises you encounter during an incident. Start with names instead of numbers, give developers a sane on-ramp, practice explainable decisions, and measure outcomes that matter. Who this is for: CISOs, security engineers, platform engineers, DevSecOps practitioners, cloud architects, compliance professionals, and anyone responsible for securing outbound traffic in cloud-native environments. Learn more Main site: https://sec.co/ Full article: Cloud Egress Control Best Practices: Policy-as-Code

    15 min

  5. May 21

    How to Use OpenTelemetry Traces for Threat Detection and Cloud Security Monitoring

    Traditional logs and metrics catch pieces of an attack, but traces tell the full story. In this episode, we explore how OpenTelemetry traces transform cloud security monitoring by linking events into narratives that expose attacker intent. Based on a recent article from SEC.co, we cover: Why traces deserve a seat at the security table alongside logs and metricsLatency as a lie detector — how timing anomalies betray attackersDrop-in auto-instrumentation that eliminates developer frictionEnrichment strategies at the collector layer for faster investigationsQuery tactics: stateful pattern matching, threat graph mapping, and unusual call chain analysisSampling with surgical precision to control costs without creating blind spotsStorage architecture that balances speed and budgetBuilding shared language between security and development teamsTurning trace data into ML training data for future-proofingWhy open standards protect your investmentRead the full article: How to Use OpenTelemetry Traces for Threat Detection and Cloud Security Monitoring

    12 min
  • 5 Episodes

About

A podcast about latest trends, techniques and learnings in cybersecurity and cyberdefense.

Information

  • Creator
    Eric Lamanna
  • Years Active
    2K
  • Episodes
    5
  • Rating
    Clean
  • Copyright
    © 2026 SEC.co
  • Show Website
    SEC.co Podcast