On this segment, we talk a lot about AI, new technologies, and the future from a personal and consumer standpoint. Not a lot of enterprise-relevant stuff in the news today, but consumer products and AI will have a HUGE long-term impact, so that's how we're justifying today's topical focus ;)

Show Notes: https://securityweekly.com/esw-346

The general public has varied opinions of biometric authentication, and an increasingly reluctant relationship with it, as more and more facial recognition is forced upon us (especially those of us that travel frequently). Facial recognition doesn't work for everyone, so what other options do we have?

In this interview, we'll explore accessibility in identity verification and the viability of voice-based authentication. How big an issue are AI-powered voice imposters? How will companies like Veridas combat these threats? We'll ask all these questions and more in this ESW interview.

Show Notes: https://securityweekly.com/esw-346

The year kicks off with TWELVE funding announcements and NINE acquisitions! Several new companies have merged, we already have a few dumpster fires burning and there is plenty of AI news to kick off the year.

The annual Consumer Electronics Show gives us previews of the invasive and insecure horrors that will be unleashed upon us this year, New Yorkers get right to repair, and Polish trains don’t. (see the show notes for more)

Finally, we talk Apple Vision Pro, Tetris, and skydiving iPhones.

Show Notes: https://securityweekly.com/esw-345

Many founders and early stage startups closely guard product details and information about their roadmap and go-to-market plan. Is it a bad idea then to build a company based around an open source project? Not at all, according to Ev Kontsevoy, whose company Teleport has done just that. Building a security vendor around open source isn't a magic formula for success, however, so we'll discuss the pros and cons of this approach.

We'll also discuss best practices for securing infrastructure at scale and Teleport's journey in enabling a different and more secure approach to managing remote infrastructure.

Show Notes: https://securityweekly.com/esw-345

GenAI hype is still at peak levels, but clearly some of the hopes and dreams pinned on it will fail, while other use cases we haven't even imagined will become commonplace. Greg Notch joins us to share his thoughts on what security leaders and the general public should be more or less worried about when it comes to GenAI.

Show Notes: https://securityweekly.com/esw-345

This is a special episode of ESW: our year-end wrapup for 2023. Want to make sure you didn't miss any big stories in 2023? This is the episode to check out! In under an hour, we'll summarize 2023, covering things like:

1. our mindset coming into 2023 from 2022
2. how 2023 kicked off
3. some special themed episodes we recorded in 2023
4. the state of the fragile and recovering startup market
5. key acquisitions in 2023 and some acquisition rumors that never led to anything
6. breach post-mortems and special lessons learned episodes we did in 2023
7. some notable drama and dumpster fires
8. 2023 themes and trends
9. and some of our favorite newsletters, books, and tools from 2023

Enjoy!

Show Notes: https://securityweekly.com/vault-esw-7

I once told my college advisor that I wanted to double major in computer science and jazz performance. She laughed at me. Instead, I jumped into a career in IT and played jazz - without a degree in either. Turns out, that was fine - the industry valued experience and results over academic achievement. Today's guest has two degrees, one in fine arts, one in pre-law, and that's also fine. If there's anything I've learned in InfoSec, it's the mind that matters most, less so the degrees or certs on your wall. Angela Marafino gets cybersecurity and understands what makes it tick. Using this knowledge, she has built a personal brand, network, and career in an impressively short time. She is simultaneously mentor and mentee. Today, we'll explore Angela's path into the industry as well as some of her views on challenges, like imposter syndrome.

https://hbr.org/2021/02/stop-telling-women-they-have-imposter-syndrome

https://www.itspmagazine.com/focal-point-podcast

https://twitter.com/hackerbookclub1

Show Notes: https://securityweekly.com/vault-esw-6

This week, in the security market, we talk about next NEXT gen anti-virus, how Okta can (apparently) do no wrong, and a VC firm imploding.

Then we discuss how smartphones and speakers are allegedly being used to spy on us, and the future of privacy and consumer tech products.

The latest SSH vuln is much less concerning than media outlets and academic researchers would have you believe. The Citrixbleed vuln, however is about as bad as vulns can get, and has led to one of the biggest US consumer breaches in a while, with Comcast/XFinity losing all customer records.

The SEC backpedals (again!) on requiring breached companies to provide details about how they got breached.

And finally, we have some fun with some squirrel stories that you should absolutely check out by going to our show notes, here: https://securityweekly.com/esw344

Show Notes: https://securityweekly.com/esw-344

Understanding how CyberRatings, NaaS, and SASE combine to make network security easier to buy and deploy. MEF is an industry association, providing standards, certifications, and facilitating community discussions. MEF has teamed up with CyberRatings.org to establish a certification program for SASE services, making it easier for buyers to understand what's included in SASE-related products and services.

Segment Resources:

• https://www.mef.net/news/16-leading-technology-and-service-providers-launch-industrys-first-sase-product-and-services-certification/

Show Notes: https://securityweekly.com/esw-344

We're excited to give an end-of-year readout on the performance of the cybersecurity industry with Mike Privette, founder of Return on Security and author of the weekly Security, Funded newsletter. This year, this podcast has leaned heavily on the Security, Funded newsletter to prep for our news segment, as it provides a great summary of all the funding and M&A events going on each week.

In this segment, we look back at 2023, statistics for the year, comparisons to 2022, interesting insights, predictions, and more!

Segment Resources:

• Mike's blog; Return on Security: https://www.returnonsecurity.com/
• Mike's newsletter; Security, Funded: https://www.returnonsecurity.com/subscribe

Show Notes: https://securityweekly.com/esw-344

On this week's news segment, we pick up where we left off with Doug running the show last week. We discuss current early stage categories, AD canarytokens, and low hanging vulns. We talk about why cybersecurity is important, but not nearly as unique or special as some might have you think. The goal of patching faster than exploits can be used - is it a fool's errand?

Also, pickleball - the country's fastest growing sport, is causing chaos across the nation.

Show Notes: https://securityweekly.com/esw-343

What is telemetry data and why is it important to cybersecurity? Why is it such a pain to collect, store and use? How do we improve our ability to gather and benefit from this data? Today, Tucker Callaway, the CEO of Mezmo joins us to answer all these questions and help us understand the future of the SIEM and other cybersecurity data tools.

Show Notes: https://securityweekly.com/esw-343

On this podcast, we've often struggled with whether or not to include stories and discussion on identity verification. Is identity verification cybersecurity proper, or cybersecurity adjacent as part of fraud prevention? As always, when we're unsure, we find folks to talk to and learn more.

Today, we'll be learning about weak points in the identity verification chain from Rob O'Farrell. He'll also be helping us to understand what identity verification is, and why it's important to cybersecurity overall. As more and more of the world is digitized (especially the lagging healthcare industry in the US), reliable identity verification seems more important every day.

Segment Resources:

• Living Information Security: An Integrated Approach to ISO-27001
• The Foundations of Identity Verification: Trust and Its Pillars
• IBS Intelligence Podcasts Ep552: Is self-sovereign identity the next step in secure ID management?
• Are We Being Lax with Fraud?

Show Notes: https://securityweekly.com/esw-343

This week in the enterprise news, we explore the harsh realities of the startup world with a look at recent failures and shutdowns, investigating the factors leading to these setbacks. Meanwhile, Carbon Black makes headlines by breaking away from VMware in what seems like a divestiture within an acquisition, raising questions about the future of the company. We'll also discuss the European Space Agency's venture into cybersecurity for the space industry, revealing that even the vastness of outer space isn't immune to digital threats. Tune in for all this and more!

Show Notes: https://securityweekly.com/esw-342

Bob Ackerman argues that, from an investment perspective, cybersecurity is like life sciences - a complex, nuanced field that is difficult field to invest in part-time. So his firm, Allegis Cyber, became one of the first to focus exclusively on investing in cyber startups. In this segment, we'll discuss one of Allegis's recent investments, SixMap, and Bob's other investment/accelerator vehicle, Data Tribe. Data Tribe sources investments from national intelligence, with examples like Dragos that came through this program.

Show Notes: https://securityweekly.com/esw-342

Nine out of the ten funding articles mention AI - they're either using it in their products, or protecting AI use cases (particularly GenAI and LLM use).

We discuss Broadcom's closing of the VMware acquisition, how they operate similarly to private equity firms, and how it's mostly bad news for VMware employees and customers.

Some weird legal cases this week: Binance's founder and CEO pleads guilty to money laundering charges, a cybersecurity company's COO pleads guilty to attacking hospitals to generate sales leads, and Hacking Team's founder is arrested for attempted murder!

We devote a chunk of time to discussing the huge rise in ransomware activity, and close out the show with a squirrel story on the tiny Pacific island nation of Tokelau, and how the .tk domain has destroyed its reputation, and nearly the nation itself.

Show Notes: https://securityweekly.com/esw-341

As with any category of trends, the success rate of cybercrime ebbs and flows. As Russia seems be a safe haven for cybercriminals, it seemed for a while that the war in Ukraine might disrupt this activity. It did, but only for a short while.

Keith Jarvis walks us through the latest types, tactics, and trends in cybercrime. Secureworks' latest State of the Threat report reveals a disturbing dichotomy: how is it we understand our adversaries' so well, but continue to fail to stop them? In this interview, we aim to understand what needs to happen to tilt the odds a bit back in our favor.

Segment Resources:

• Secureworks State of the Threat Report
• Press Release

Show Notes: https://securityweekly.com/esw-341

While non-profit doesn't mean "no budget" when it comes to cybersecurity, a lot of smaller to mid-sized non-profits operate on a shoestring, with little to no money for cybersecurity talent or spending. This is where Sightline Security steps in. Sightline's founder and CEO, Kelley Misata joins us today to explain how her own non-profit helps other non-profits improve their cybersecurity posture.

Show Notes: https://securityweekly.com/esw-341

High School students represent the very beginning of the pipeline for the Cyber industry. What are the attitudes and perspectives of these young people? How can we attract the best and brightest into our industry?

Show Notes: https://securityweekly.com/vault-esw-5

Finally, in the enterprise security news,

1. Lots of new security startups with early stage funding
2. SentinelOne picks up Chris Krebs and Alex Stamos’s consulting firm
3. PE firm picks up ActiveState - a company I haven’t thought about since I last downloaded ActiveState Perl 1000 years ago
4. Microsoft announces the limited release of Security Copilot
5. Semgrep releases a secrets scanner
6. AGI predicted to come much sooner than you might expect
7. NY State doubles down on cybersecurity regulations to protect its hospitals
8. the young hackers behind Mirai, one of the biggest botnets ever
9. Ransomware groups snitch on businesses to the SEC

Show Notes: https://securityweekly.com/esw-340

We regularly cover significant breaches on this podcast, but it is rare that we have enough information about a major breach to cover in enough detail to devote an entire segment to. Today, we dive into lessons learned from the breach of Okta's customer support system that targeted some other major security vendors.

This is part of a troubling trend, where the target of an attack only serves as a jumping off point to other organizations. China's 2023 attack of Microsoft is an example of this. It was easier to attack Microsoft 365, one of the world's largest business SaaS platforms, than to go after each of the 25 individual targets these Chinese actors needed access to.

Traditionally, we've thought of lateral movement as something that happens within a network segment, or even within a single organization. Now, we're seeing lateral movement between SaaS platforms, between clouds, from third party vendors to customer, and even from open source project to open source adopters.

In this segment, we'll cover five key lessons learned from Okta's breach, from information shared by Okta and three of its customers: 1Password, Cloudflare, and BeyondTrust.

1. Protect Your Session Tokens
2. Monitor for Unusual Behavior
3. SaaS Vendors Are Common Targets
4. Zero Trust Principles Work
5. MFA Isn't a Binary (on or off) Control

Segment Resources

• https://www.valencesecurity.com/resources/blogs/five-lessons-learned-from-oktas-support-site-breach

Show Notes: https://securityweekly.com/esw-340

Once again, Theresa Lanowitz joins us to discuss Edge Computing, but with a twist this time, as Mani Keerthi Nagotu from SentinelOne joins us as well! As a field CISO, Mani knows all too well the struggles security leaders are going through, given the current market and threat landscape:

• Maybe not less budget, but more pressure to produce results and justify spending
• Security leaders being held personally accountable for performance
• Potential layoffs, and the need to achieve the same goals with less labor and tool overhead

Segment Resources

• https://cybersecurity.att.com/insights-report

This segment is sponsored by AT&T Cybersecurity. Visit https://securityweekly.com/attcybersecurity to learn more about them!

Show Notes: https://securityweekly.com/esw-340

During the news today, we went deep down the rabbithole of discussing security product efficacy. Adrian still doesn't believe in enterprise browsers beyond Google Chrome, but can't deny that Talon got a pretty favorable exit considering the state of the market. We see the first major exit for cybersecurity insuretechs, and discuss a few notable funding rounds.

We discuss Kelly Shortridge's essay on the origins and nature of the term "security" and what it means. Stephen Schmidt suggests 6 questions every board should ask their CISO, we explore Cyentia Labs' meta analysis of MITRE ATT&CK techniques, and Phil Venables shares some hilarious takes on infosec stereotypes.

Show Notes: https://securityweekly.com/esw-339

We've reached an inflection point in security. There are a handful of organizations regularly and successfully stopping cyber attacks. Most companies haven't gotten there, however. What separates these two groups? Why does it seem like we're still failing as an industry, despite seeming to collectively have all the tools, intel, and budget we've asked for?

Kelly Shortridge has studied this problem in depth. She has created tools (https://www.deciduous.app/), and written books (https://www.securitychaoseng.com/) to help the community approach security challenges in a more logical and structured way. We'll discuss what hasn't worked for infosec in the past, and what Kelly thinks might work as we go into the future.

Show Notes: https://securityweekly.com/esw-339

Today, we discuss the state of attack surface across the Internet. We've known for decades now that putting an insecure service on the public Internet is a recipe for disaster, often within minutes. How has this knowledge changed the publicly accessible Internet? We find out when we talk to Censys's Aidan Holland today.

Show Notes: https://securityweekly.com/esw-339