There are great stories in the security industry that aren’t being told. Fascinating people who fly below the radar and aren’t being heard. We know because we encounter them in hallways, hotel lobbies and just about everywhere imaginable across the globe. Everytime we think “I wish I had recorded that conversation so that everyone could hear it…” Our goal with Security Voices is to provide a place for clear-headed dialogue with great people that’s unencumbered by the hyperbole and shouting that’s far too common in security circles. We don’t have anything against sponsors or sales pitches, but they run counter to our goal of cutting through the noise, so we don’t have either. We’re aiming for 100% clear signal.
Sh*t Talkin’, Deep Thoughts & Really Scary Phishing w/ Material Security
This episode of Security Voices is different.
Let’s say you sat down at the end of a long day and had a casual drink with a few industry friends before dinner. The conversation quickly turns to serious topics which are all discussed with thoughtful insight, biting humor and some well-placed profanity. Welcome to the latest episode of Security Voices where Jack & Dave wander off the beaten path with Abhishek Agrawal and Ryan Noon, co-founders of email protection company Material Security. This one isn’t for the easily offended or as the soundtrack to a drive with the kiddos.
“How not to suck as a vendor” is our introductory question, prompting an earnest conversation that starts with “don’t be an active cancer”, covers The Market for Silver Bullets and ultimately explains why the pandemic has made already questionable cyber security marketing even worse.
After exploring some of our top influences, from The Autobiography of Malcom X and The Origin of Consciousness to Joe Frank’s avant garde radio show, The Other Side, we talk email security. In a year that changed so many things, Abhishek and Ryan explain how truly little changed for phishing attacks. While the trend is not compelling, the reason why is. They walk us through what truly makes phishing attacks successful: distracted people reacting to well-timed messages. This hard truth confounds the market for anti-phishing training as ultimately our susceptibility has much more to do with our emotional state at the time than it does our factual knowledge or even our learned behavior.
If you’ve wondered what the difference between phishing and business email compromise (BEC) is, this episode is for you. Abhishek provides a clear explanation of both topics before we forecast an ominous new threat on the horizon: Really Scary Phishing™.
Our wrap-up eschews the usual speed round and instead asks “What can cybersecurity can learn from other industries?” Jack lays out how the service industry has much to teach us about taking care of our own while Dave explains what he learned about empathy and innovation from the advertising industry. We depart on a hopeful note, as Ryan relays a story reminding how small acts of kindness can have a large impact on others.
We’ll be taking a short break before the next episode as Jack and Dave attend to some important “life stuff”. See you in the Spring!
Cloud Security Series Wrap-up w/ Justin Brodley: A look back at 2020, a glance ahead at 21's top threats & key trends
In our 1st episode of ‘21, we cap off our cloud security series with a recap of the major milestones, key trends and surprises across 2020 through the eyes of cloud expert and podcaster, Justin Brodley. If you think you might have missed a few things that happened in the public cloud last year while waiting for news on COVID-19 vaccines, hitting refresh on election results or wondering when the four horsemen were finally going to show up, this episode is your chance to catch up and look ahead through the lens of both a practitioner and a pundit.
Recorded during AWS Re:invent, we examine the cloud service provider conferences across the year to find a clear absence of security topics making their way to center stage. While there were some notable developments, such as services providing easier cloud traffic analysis, much of the attention was elsewhere. Multi-cloud, in particular, leapt to the forefront for even Amazon who had been reluctantly dragging their feet.
Our comparison of the different cloud service providers (CSP) conferences gives way to Justin’s take on key differences in their security strategies. From Google’s cloud native approach to Microsoft’s gambit to compete with stand-alone security offerings seemingly inspired by their experience on-premises, we breakdown the CSP’s strengths and weaknesses in cybersecurity.
We chart the big moments of 2020 in the cloud, starting with outages that began with pandemic-strained capacity at Azure to the longest AWS outage witnessed in years around Thanksgiving. While security news didn’t penetrate the headlines in many instances, Justin mentions some noticeable developments and what we hoped to see, but didn’t.
Justin shares his top advice for anyone moving to the cloud to shore up their defenses. Given the vast amount of phishing, social engineering and misconfiguration issues in the cloud, it turns out that this has a lot more to do with improving our humans than it does our technology. Nonetheless, the threat landscape meaningfully advanced with more complex, serious attacks in 2020 which moved well beyond “S3 bucket negligence” that's perhaps best exemplified by the sophisticated Capital One breach.
In the waning moments of our 6 episode cloud series, we look to the trends that will define 2021 and end with a hopeful signal that us security types just might be starting to get the hang of this cloud thing.
Justin Brodley is an IT Executive with 20+ years in SaaS, Cloud, and IT operations. Most recently as VP of Cloud Operations at ICE Mortgage Technology (formerly Ellie Mae). He has helped companies transform their SaaS business, adopt cloud-native practices, and drive the cultural change of DevOps and DevSecOps. He is also one of the hosts of https://www.thecloudpod.net a weekly cloud news show covering AWS, GCP, Azure, DevOps, and more.
Winners, Losers & Long Shots: Kleiner Perkins’ Bucky Moore Breaks Down Cloud Security
Investors make their money seeing things others don’t. Making big bets based on both digging into painstaking detail and their ability to forecast what will happen many years into the future. In this 5th and (almost!) final episode of our series on public cloud security, we get deep into the mind of Bucky Moore from Kleiner Perkins to learn how the flow of funding is both responding to and shaping our industry’s transformation from protecting our own data centers to renting them from others.
Bucky begins by laying down our mile marker in the global cloud journey, answering the eternal question of “Are we there yet?” with a clear answer of “Not even close.” We follow these remarks to a walk through the different corners of the cyber security industry to see how they’re keeping pace. While many fail to impress, one of the legacy behemoths stands out from the pack as having impressively galvanized their business to meet the cloud challenge.
Setting companies aside, Bucky, Jack & Dave identify what technologies are the likely casualties are long-term cloud transition followed by a look at the obvious new areas to invest. Bucky describes a few more obscure tech opportunities he and Kleiner Perkins are watching that may produce a surprise hit in the future.
We explore the eye-popping amount of money raised by managed security services companies in 2020 such as Arctic Wolf, deepwatch & Pondurance and how they differ from the not-so-glamorous past of the MSSP market. Our discussion explains the hidden forces driving the new managed services opportunity and how we think it will play out over the years ahead.
If you’re looking to understand the insanely high valuations of companies like Snowflake and CrowdStrike-- or wondering what a SPAC is-- Bucky weighs in on these topics as well as we also dive into the surprise investing frenzy of 2020. Spoiler alert: it has a lot to do with both money and investors having no better places to go.
Cloud native invasion! An interview with Datadog’s Marc Tremsal in Public Cloud Security Series #4
As longstanding cybersecurity companies lumber their way into the public cloud and "born in the cloud" startups fight for attention, cloud observability titan Datadog entered the security market in 2020 with two new products. This is far from the first time a company has used an adjacent market to make the cybersecurity leap. Oftentimes it fails, but Splunk immediately comes to mind as a crossover success. Jack and Dave interview Datadog’s Marc Tremsal in this episode to provide a view into what cybersecurity looks like from the lens of a company steeped in the world of cloud infrastructure.
Datadog did not break down the doors of the industry, but rather was invited to enter by their customers whose needs were not being met by cybersecurity companies. Marc explains the mistakes that incumbents have made that have left a considerable opening for others— they have very little to do with technology and a lot to do with marketing and sales. From selling to CISOs rather than the people doing the work to overheated marketing claims, cybersecurity companies have alienated would-be cloud customers who openly wonder why they can’t buy protection the same way they purchase the rest of their infrastructure.
Marc talks through the challenges of staffing a cloud security product team— how much do you value deep domain expertise? Do you shrug it off and simply hire the best developers? We explain how the hottest talent on the market will be cybersecurity veterans who take the time to retool for the public cloud as they will hit the “goldilocks” spot for a growing throng of potential employers.
We wrap up a surprisingly optimistic conversation with a glance ahead to 2021 where Marc reckons consolidation of providers will be a key trend alongside a hard look at just how immutable some of our infrastructure truly is.
Public Cloud Security Series #3: How to catch up, survive multi-cloud & when to tap out with Rich Mogull
Our conversation with Rich Mogull was intended to provide an analyst view point on public cloud security. While Rich certainly delivered on this promise, the episode turned into something more important: therapy.
If you find yourself wondering if you’re burnt out from cyber security and life in general, this is for you. Our conversation with Rich starts with the work he does in disaster response, focusing on his recent time responding to the COVID-19 pandemic as a paramedic. He explains how key concepts of anti-fragility from responder culture such as “trench foot” and “changing your socks” also apply to the rough and tumble world of cyber security— especially in assessing yourself for burnout.
If you find yourself drowning in work and straining to catch up to the rest of the organization's push to the public cloud, this is for you. We discuss how this happens quite naturally in most places, resulting in a dysfunctional norm of security teams inadvertently being left behind but still responsible for protecting the public cloud. Rich lays out a recipe for getting back on track, starting with making sure it simply isn’t time to throw in the towel and find a better gig.
If multi-cloud seems impossible to defend with the skills and resources you have, you’re probably right. Rich takes us through the mind-boggling complexity of what it takes to stay on top of a single public cloud environment, let alone several. He doesn’t mince words in his unflattering assessment of the challenges with all 3 major cloud service providers: Amazon, Google & Microsoft.
We wrap up with a hopeful look at what lies ahead for protecting the public cloud. Rich and Dave share examples of how long standing problems such as re-architecting are now solvable and operational challenges can truly be simplified when mantras like “shift left” move from buzzword bingo to new reality.
Cloud Security Series #2 - Yelp’s Zach Musgrave on Defending a Cloud Native Business at Scale
In our 1st episode of this series, Teri provided an expert’s broad view of what’s happening with security in the public cloud. In this episode, Yelp’s Zach Musgrave does the opposite: we go into the trenches to understand what it takes to protect a fully cloud native business on a daily basis.
While Yelp was born in ‘04, 2 years before Amazon launched its first AWS service, it started its cloud native journey in 2013. Their early transition makes the company one of the longest tenured organizations who have defended a cloud native business at scale. Zach shares the fundamentals of how they work, from security team org structure and success measurement to key relationships across the company. We dig into the 2 different but critical aspects of security: 1) protecting the infrastructure (people & systems) and 2) policing the Yelp ecosystem itself (defending business operations).
Zach explains how DevSecOps at Yelp was adopted not out of buzzword compliance but plain necessity: the need to safeguard 500+ microservices in production simply breaks a traditional security model. We explore some of the misconceptions with DevSecOps and the amount of care and feeding it takes to make it successful. We also cover Yelp’s tooling which centers on generous amounts of open source and their own projects including their current work on the Enhanced Berkeley Packet Filter (eBPF).
We wrap up with some strong feelings about multi-cloud and readiness for the zombie apocalypse (they’re related, trust us) alongside forecasting the future for security tech as the cloud native tsunami rolls on. Spoiler: there’s no reprieve for old school network security.
Customer ReviewsSee All
Valuable insights from knowledgeable industry SMEs
Dave Cole and Jack Daniels host great subject matter experts with practical security insights based on their experiences in the industry. No filler. Useful without the boring fluff. Add to this that they don't accept sponsorship $ to muddy the waters: you get clear-headed discussion uncolored by product pitches.
Love this sample and initial launch of fascinating conversations. Keep them coming!!
Fascinating Infosec Stories
Excellent new infosec podcast with knowledgeable hosts and interesting guests.