In the enterprise security news,

1. Change Healthcare’s HIPAA fine is vanishingly small
2. How worried should we be about the threat of AI models?
3. What about the threat of DeepSeek?
4. And the threat of employees entering sensitive data into GenAI prompts?
5. The myth of trillion-dollar cybercrime losses are alive and well!
6. Kagi Privacy Pass gives you the best of both worlds: high quality web searches AND privacy/anonymity
7. Thanks to the UK for letting everyone know about end-to-end encryption for iCloud!
8. What is the most UNHINGED thing you've ever seen a security team push on employees?

All that and more, on this episode of Enterprise Security Weekly.

Show Notes: https://securityweekly.com/esw-395

'Shift Left' feels like a cliché at this point, but it's often difficult to track tech and security movements if you aren't interacting with practitioners on a regular basis. Some areas of tech have a longer tail when it comes to late adopters and laggards, and application security appears to be one of these areas. In this interview, Jenn Gile catches us up on AppSec trends.

Segment Resources:

• Microsoft Defender for Cloud Natively Integrates with Endor Labs
• 2024 Dependency Management Report
• How to pick the right SAST tool

Show Notes: https://securityweekly.com/esw-395

In this interview, we're excited to have Ilona Cohen to help us understand what changes this new US administration might bring, in terms of cybersecurity regulation. Ilona's insights come partially from her own experiences working from within the White House. Before she was the Chief Legal Officer of HackerOne, she was a senior lawyer to President Obama and served as General Counsel of the White House Office of Management and Budget (OMB).

In this hyper-partisan environment, it's easy to get hung up on particular events. Do many of us lack cross-administration historical perspective? Probably. Should we be outraged by the disillusion of the CSRB, or was this a fairly ordinary occurrence when a new administration comes in? These are the kinds of questions I'll be posing to Ilona in this conversation.

• How the Change Healthcare breach can prompt real cybersecurity change

Show Notes: https://securityweekly.com/esw-395

In this week's enterprise security news, we've got

1. 5 acquisitions
2. Tines gets funding
3. new tools and DFIR reports to check out
4. A legal precedent that could hurt AI companies
5. AI garbage is in your code repos
6. the dark side of security leadership
7. HIPAA fines are broken
8. Salt Typhoon is having a great time
9. Don't use ChatGPT for legal advice!!!!!

All that and more, on this episode of Enterprise Security Weekly.

Show Notes: https://securityweekly.com/esw-394

We couldn't decide what to talk to Allie about, so we're going with a bit of everything. Don't worry - it's all related and ties together nicely.

• First, we'll discuss AI and automation in the SOC - Allie is covering this trend closely, and we want to know if she's seeing any results yet here.
• Next, we'll discover SecOps data management - the blood that delivers oxygen to the SOC muscles.
• Finally, we'll discuss MITRE's recent EDR evaluations - there was some contention around some vendors claiming to ace the test and we're going to get the tea on what's really going on here!

For each of these three topics, these are the blog posts they correspond with if you want to learn more:

1. Generative AI Will Not Fulfill Your Autonomous SOC Hopes (Or Even Your Demo Dreams)
2. If You’re Not Using Data Pipeline Management For Security And IT, You Need To
3. Go Beyond The MITRE ATT&CK Evaluation To The True Cost Of Alert Volumes

Show Notes: https://securityweekly.com/esw-394

We've got a few compelling topics to discuss within SecOps today. First, Tim insists it's possible to automate a large amount of SecOps work, without the use of generative AI. Not only that, but he intends to back it up by tracking the quality of this automated work with an ISO standard unknown to cybersecurity.

I've often found useful lessons and wisdom outside security, so I get excited when someone borrows from another, more mature industry to help solve problems in cyber. In this case, we'll be talking about Acceptable Quality Limits (AQL), an ISO standard quality assurance framework that's never been used in cyber.

Segment Resources:

• Introducing AQL for cyber.
• AQL - How we do it
• An AQL 'calculator' you can play around with

Show Notes: https://securityweekly.com/esw-394

This week, in the enterprise security news,

1. Semgrep raises a lotta money
2. CYE acquires Solvo
3. Sophos completes the Secureworks acquisition
4. SailPoint prepares for IPO
5. Summarizing the 2024 cybersecurity market
6. Lawyers that specialize in keeping breach details secret
7. Scientists torture AI
8. Make sure to offboard your S3 buckets
9. extinguish fires with bass

All that and more, on this episode of Enterprise Security Weekly.

Show Notes: https://securityweekly.com/esw-393

Listeners of the show are probably aware (possibly painfully aware) that I spend a lot of time analyzing breaches to understand how failures occurred. Every breach story contains lessons organizations can learn from to avoid suffering the same fate. A few details make today's breach story particularly interesting:

• It was a Chinese APT
• Maybe the B or C team? They seemed to be having a hard time
• Their target was a blind spot for both the defender AND the attacker

Segment Resources:

• https://www.binarydefense.com/resources/blog/shining-a-light-in-the-dark-how-binary-defense-uncovered-an-apt-lurking-in-shadows-of-it/
• https://www.theregister.com/2024/09/18/chinesespiesfoundonushqfirm_network/

Show Notes: https://securityweekly.com/esw-393

Spoiler: it's probably in your pocket or sitting on the table in front of you, right now!

Modern smartphones are conveniently well-suited for identity verification. They have microphones, cameras, depth sensors, and fingerprint readers in some cases. With face scanning quickly becoming the de facto technology used for identity verification, it was a no-brainer for Nametag to build a solution around mobile devices to address employment scams.

Segment Resources:

• Company website
• Aaron's book, Loyal

Show Notes: https://securityweekly.com/esw-393

This week in the enterprise security weekly news, we discuss

1. funding and acquisitions
2. Understanding the Semgrep license drama
3. Ridiculous vulnerabilities everywhere:
4. vulns to take down your entire city’s cell service
5. vulns to mess with your Subarus
6. vulns in Microsoft 365 authentication
7. cybersecurity regulations are worthless
8. Facebook is banning people for mentioning Linux
9. Vigilantes on Github
10. Mastercard DNS error
11. Qubes OS
12. Turning a "No" into a conversation

All that and more, on this episode of Enterprise Security Weekly!

Show Notes: https://securityweekly.com/esw-392

This week, we've added an extra news segment just on AI. Not because we wanted to, but because the news cycle has bludgeoned us into it. My mom is asking about Chinese AI, my neighbor wants to know why his stocks tanked, my clients want to know how to prevent their employees from using DeepSeek, it's a mess.

First, a DeepSeek primer, so we can make sure all Enterprise Security Weekly listeners know what they need to know. Then we get into some other AI news stories.

DeepSeek Primer

I think the most interesting aspect of the DeepSeek announcements is the business/market impact, which isn't really security-related, but could have some impact on security teams. By introducing models that are cheaper to train, sell access to, and less demanding to run on systems, DeepSeek has opened up more market opportunities. That means we'll see generative AI used in markets and ways that didn't make sense before, because it was too expensive.

Another aspect that's really confusing is what DeepSeek is or does. For the most part, when someone says "DeepSeek", they could be referring to:

• the company
• the open source models released by the company
• the SaaS service (https://chat.deepseek.com)
• the mobile app (which is effectively just a front end for #3)
• the API (which is what the mobile app and SaaS service are built on top of)

From a security perspective, there's little to no operational risk around downloading and using the models, though they're likely to get banned, so companies could get in trouble for using them. As for the app, API, or SaaS service, assume everything you type into them is getting collected by China (so, significantly less safe, probably no US companies should do this).

But because these services are crazy cheap right now, I wouldn't be surprised if some suppliers and third parties will start using DeepSeek - if your third party service provider is using DeepSeek behind the scenes with your data, you still have problem #2, so best to ensure they're not doing this through updated contract language and call to confirm that they're not currently doing it (can take a while to get a new contract in place).

Show Notes: https://securityweekly.com/esw-392

Celebrating and Elevating Women in Cyber: Recently, International Women in Cyber Day (September 1) highlighted the ongoing challenges women face in the cybersecurity field, as well as the progress made in recent years. Women bring exceptional skills and knowledge to cybersecurity; however, it is estimated that they make up only 20% to 25% of the cybersecurity workforce—a percentage that has remained stagnant for years. Even more concerning, women often hit a glass ceiling just six to ten years into their cybersecurity careers. Lynn Dohm sheds light on these issues and emphasizes what the industry needs to focus on to continue celebrating and elevating women in cyber.

Segment Resources:

• 2023 State of Inclusion Benchmark in Cybersecurity
• 2024 Cyber Talent Study by N2K and WiCyS
• WiCyS Programs

Show Notes: https://securityweekly.com/esw-392