Security Conversations

Welcome to Episode 1 of a brand new cybersecurity podcast discussing the biggest news stories of the week. Ryan Naraine hosts a fast-moving conversation with Juan Andres Guerrero-Saade (LABScon) and Costin Raiu (Art of Noh) on the Microsoft Recall debacle, the dark patterns emerging as big-tech embraces AI, Brad Smith's testimony and the lingering effects of the CSRB report, Apple's new Private Cloud Compute (PCC) infrastructure and Cupertino's long game. Oh, we also talk about the KL ban.

Links:

• Microsoft’s embarrassing Recall
• Brad Smith CSRB testimony
• Inside Apple Private Cloud Compute
• LABScon - Security Research in Real Time
• Follow Costin Raiu (@craiu) / X
• Follow JAG-S (@juanandres_gs) / X
• Follow Ryan Naraine (@ryanaraine) / X

Episode sponsors:

• Binarly, the supply chain security experts (https://binarly.io)
• XZ.fail backdoor detector (https://xz.fail)

Cris Neckar is a veteran security researcher now working as a partner at Two Bear Capital. In this episode, he reminisces on the early days of hacking at Neohapsis, his time on the Google Chrome security team, shenanigans at Pwn2Own/Pwnium, and the cat-and-mouse battle for browser exploit chains. We also discuss the zero-day exploit marketplace, the hype and promise of AI, and his mission to help highly technical founders bring products to market.

Links:

• Unedited transcript (AI-generated)
• Cris Neckar on LinkedIn
• Cris Neckar Bio (Two Bear Capital)
• Teenager hacks Google Chrome with three 0days
• Research on Trident zero-day flaws
• Cris Neckar podcast transcript (Unedited)

Episode sponsors:

• Binarly, the supply chain security experts (https://binarly.io)
• XZ.fail backdoor detector (https://xz.fail)

Malware paleontologist Costin Raiu returns for an emergency episode on the XZ Utils software supply chain backdoor. We dig into the timeline of the attack, the characteristics of the backdoor, affected Linux distributions, and the reasons why 'Tia Jan' is the handiwork of a cunning nation-state.

Based on all the clues available, Costin pinpoints three main suspects -- North Korea's Lazarus, China's APT41 or Russia's APT29 -- and warns that there are more of these backdoors lurking in modern software supply chains.

Links:

• Binarly XZ backdoor detector
• XZ Utils Backdoor FAQ (by Dan Goodin)
• CISA advisory on backdoor
• The JiaT75 (Jia Tan) timeline
• Unedited transcript

Episode sponsors:

• Binarly, the supply chain security experts (https://binarly.io)
• FwHunt (https://fwhunt.run)

Katie Moussouris founded Luta Security in 2016 and bootstrapped it into a profitable business with a culture of equity and healthy boundaries. She is a pioneer in the world of bug bounties and vulnerability disclosure and serves in multiple advisory roles for the U.S. government, including the new CISA Cyber Safety Review Board (CSRB).

In this episode, Moussouris discusses Luta Security's new Workforce Platform profit-sharing initiative, the changing face of the job market, criticisms of the CSRB's lack of enforcement authority, and looming regulations around zero-day vulnerability data.

Links:

• Luta Security Workforce Platform
• Katie Moussouris on Wikipedia
• Moussouris: Resist Urge to Match China Vuln Reporting Mandate
• Katie Moussouris on LinkedIn
• Cyber Safety Review Board

Episode sponsors:

• Binarly, the supply chain security experts (https://binarly.io)
• FwHunt (https://fwhunt.run)

Costin Raiu has spent a lifetime in anti-malware research, working on some of the biggest nation-state APT cases in history, including Stuxnet, Duqu, Equation Group, Red October, Turla and Lazarus.

In this exit interview, Costin digs into why he left the GReAT team after 13 years at the helm, ethical questions on exposing certain APT operations, changes in the nation-state malware attribution game, technically impressive APT attacks, and the 'dark spots' where future-thinking APTs are living.

Links:

• Costin Raiu on Twitter
• How to Protect Your Phone from Pegasus and Other APTs
• Costin Raiu: 10 big 'unattributed' APT mysteries
• Costin Raiu on the .gov mobile exploitation business
• WannaCry Ransomware Linked to North Korean Hackers

Episode sponsors:

• Binarly, the supply chain security experts (https://binarly.io)
• FwHunt (https://fwhunt.run)

Danny Adamitis is a principal information security engineer at Black Lotus Labs, the threat research division within Lumen Technologies. On this episode of the show, we discuss his team's recent discovery of an impossible-to-kill botnet packed with end-of-life SOHO routers serving as a covert data transfer network for Volt Typhoon, a Chinese government-backed hacking group previously caught targeting US critical infrastructure.

Danny digs into the inner workings of the botnet, the global problem end-of-life devices becoming useful tools for malicious actors, and the things network defenders can do today to mitigate threats at this layer.

Links:

• Danny Adamitis on Twitter
• Chinese APT Volt Typhoon Linked to Unkillable SOHO Router Botnet
• Microsoft Catches Chinese .Gov Hackers Targeting US Critical Infrastructure
• The KV-botnet Investigation
• ZuoRAT Hijacks SOHO Routers to Silently Stalk Networks
• Daniel Adamitis on LinkedIn

Episode sponsors:

• Binarly, the supply chain security experts (https://binarly.io)
• FwHunt (https://fwhunt.run)

Allison Miller is founder and CEO of Cartomancy Labs and former CISO and VP of Trust at Reddit. She has spent the past 20 years scaling teams and technology at Bank of America, Google, Electronic Arts, PayPal/eBay, and Visa International.

In this conversation, we discuss the convergence of security with fraud prevention and anti-abuse, the challenges and complexities in IAM implementations, the post-pandemic labor market, the evolving role of CISOs and new realities around CISO exposure to personal liability, thoughts on the 'build vs buy' debate and the nuance and dilemma of paying ransomware demands.

Links:

• Allison Miller on LinkedIn
• Cartomancy Labs
• Security Leaders Spooked by SEC Lawsuit Against SolarWinds CISO
• New SEC rule on breach disclosure (PDF)
• Follow Allison Miller on Twitter
• Sponsor: Binarly Supply Chain Security Platform

Episode sponsors:

• Binarly (https://binarly.io)
• FwHunt (https://fwhunt.run)

Rob Ragan, principal architect and security strategist at Bishop Fox, joins the show to share insights on scaling pen testing, the emergence of bug bounty programs, the value of attack surface management, and the role of AI in cybersecurity. We dig into the importance of proactive defense, the challenges of consolidating security tools, and the potential of AI in augmenting human intelligence. The conversation explores the potential of AI models and their impact on various aspects of technology and society and digs into the importance of improving model interaction by allowing more thoughtful and refined responses.

We also discuss how AI can be a superpower, enabling rapid prototyping and idea generation. The discussion concludes with considerations for safeguarding AI models, including transparency, explainability, and potential regulations.

Takeaways:

• Scaling pen testing can be challenging, and maintaining quality becomes difficult as the team grows. Bug bounty programs have been a net positive for businesses, providing valuable insights and incentivizing innovative research.
• Attack surface management plays a crucial role in identifying vulnerabilities and continuously monitoring an organization's security posture.
• Social engineering attacks, such as SIM swapping and phishing, require a multi-faceted defense strategy that includes technical controls, policies, and user education.
• AI has the potential to augment human intelligence and improve efficiency and effectiveness in cybersecurity. Improving model interaction by allowing more thoughtful and refined responses can enhance the user experience. Algorithms can be used to delegate tasks and improve performance, leading to better results in complex tasks.
• AI is an inflection point in technology, comparable to the internet and the industrial revolution. Can be game-changing to automate time-consuming tasks, freeing up human resources for more strategic work.
• Autocomplete and code generation tools like Copilot can significantly speed up coding and reduce errors. AI can be a superpower, enabling rapid prototyping, idea generation, and creative tasks.
• Safeguarding AI models requires transparency, explainability, and consideration of potential biases. Regulations may be necessary to ensure responsible use of AI, but they should not stifle innovation. Global adoption of AI should be encouraged to prevent technological disparities between countries.

Links:

• Rob Ragan's Theoradical.ai
• Testing LLM Algorithms While AI Tests Us — Testing LLM Algorithms While AI Tests Us
• LLM Testing Findings Templates — This collection of open-source templates is designed to facilitate the reporting and documentation of vulnerabilities and opportunities for usability improvement in LLM integrations and applications.
• Rob Ragan on Twitter
• Rob Ragan on LinkedIn
• Bishop Fox Labs

Episode sponsors:

• Binarly (https://binarly.io)
• FwHunt (https://fwhunt.run)

Seth Spergel is managing partner at Merlin Ventures, where he is responsible for identifying cutting-edge companies for Merlin to partner with and invest in. In this episode, Seth talks about helping startups target US federal markets, the current state of deal sizes and valuations, and the red-hot sectors in cybersecurity ripe for venture investment.

Links:

• Seth Spergel bio — Seth has more than 20 years of experience building, selling, and investing in software and startups. Prior to Merlin Ventures, Seth was VP for Infrastructure Technologies at In-Q-Tel, a strategic investment firm that invests in startups that meet the mission needs of government customers.
• Merlin Ventures portfolio
• Palo Alto buys Talon, Dig Security — Technology powerhouse Palo Alto Networks is officially on a billion-dollar shopping spree in the cloud data security space.
• Episode Sponsor: Binarly — The Binarly REsearch team leads the industry in firmware vulnerability disclosure and advisories

Episode sponsors:

• Binarly (https://binarly.io)
• FwHunt (https://fwhunt.run)

Dan Lorenc is CEO and co-founder of Chainguard, a company that raised $116 million in less than two years to tackle open source supply chain security problems. In this episode, Dan joins Ryan to chat about the demands of building a "growth mode" startup, massive funding rounds and VC expectations, fixing the "crappy" CVE and CVSS ecosystems, managing expectations around SBOMs, and how politicians and lobbyists are framing cybersecurity issues in strange ways.

Links:

• SBOMs - All the right ingredients, but something is still missing
• Open Source Development Threatened in Europe
• Chainguard Images: Reduce your attack surface
• Dan Lorenc on LinkedIn
• Dan Lorenc on Twitter/X
• Chainguard Raises $61 Million Series B
• Binarly -- Firmware Supply Chain Security Platform — Binarly is the world's first automated firmware supply chain security platform. Using cutting-edge techniques, Binarly identifies both known and unknown vulnerabilities, misconfigurations, and malicious code in firmware and hardware components.

Episode sponsors:

• Binarly (https://binarly.io)
• FwHunt (https://fwhunt.run)

Nick Biasini has been working in information security for nearly two decades. In his current role as head of outreach for Cisco Talos Intelligence Group, he leads a team of threat researchers tasked with tracking nation-state APTs, mercenary hacker groups and ransomware cybercriminals. In this episode, Biasini talks about the cryptic world of threat actor attribution, the rise of PSOAs (private sector offensive actors) and why network edge devices are a happy hunting ground for attackers.

Links:

• Nick Biasini on Twitter
• Cisco Talos Library of Reports
• Nick Biasini on LinkedIn
• Beyond the Veil of Surveillance: Private Sector Offensive Actors (PSOAs)
• US Gov Mercenary Spyware Clampdown Hits Cytrox, Intellexa

Episode sponsors:

• Binarly (https://binarly.io)
• FwHunt (https://fwhunt.run)

Allison Nixon is Chief Researcher at Unit 221B and a trailblazer in the world of cybercrime research. In this episode, we deep-drive into the shadowy dynamics of underground criminal communities, high-profile ransomware attacks, teenage hacking groups breaking into big companies, and the challenges of attribution and law enforcement. Allison sheds light on why companies continue to be vulnerable targets and what they're often missing in their cybersecurity strategies.

Links:

• Allison Nixon on Twitter
• Allison Nixon - Unit 221B bio
• Las Vegas casino hackers rely on violent threats
• Crossing boundaries to facilitate extortion, encryption, and destruction

Episode sponsors:

• Binarly (https://binarly.io)
• FwHunt (https://fwhunt.run)

Dakota Cary is a nonresident fellow at the Atlantic Council’s Global China Hub, conducting research on China’s efforts to develop its hacking capabilities, artificial-intelligence and cybersecurity research at Chinese universities, the People’s Liberation Army’s efforts to automate software vulnerability discovery, and new policies to improve China’s cybersecurity-talent pipeline.

In this episode, Cary expands on a new report -- 'Sleight of Hand' -- that delves into the changing legal landscape for vulnerability disclosure in China, the PRC's weaponization of software vulnerabilities, advanced threat actors in China and that infamous Bloomberg 'rice grain' spy chip story.

Links:

• Sleight of hand: How China weaponizes software vulnerabilities
• Dakota Cary on Twitter
• Moussouris: U.S. Should Resist Urge to Match China Vuln Reporting Mandate
• CSRB Log4j incident report (PDF)
• CISA China Cyber Threat Overview and Advisories

Episode sponsors:

• Binarly (https://binarly.io)
• FwHunt (https://fwhunt.run)

Abhishek Arya is director of engineering at Google, overseeing open source and supply chain security efforts that include OSS-Fuzz, SLSA, GUAC and OSV DB.

In this episode, Arya talks about some early success experimenting with AI and LLMs on fuzzing and vulnerability management, the industry's over-pivoting on SBOMs, regulations and liability for software vendors, and the long road ahead for securing software supply chains.

Links:

• Abhishek Arya on LinkedIn
• OSS-Fuzz: Continuous fuzzing for open source software
• Google Brings AI Magic to Fuzz Testing
• AI-Powered Fuzzing: Breaking the Bug Hunting Barrier
• AI Cyber Challenge

Episode sponsors:

• Binarly (https://binarly.io)
• FwHunt (https://fwhunt.run)

Dr Sergey Bratus is a Research Associate Professor of Computer Science at Dartmouth College and a program manager at DARPA. In this episode, he discusses his pioneering work on securing parsers and patching long-forgotten devices. He also puts the AI hype into context and showers praise on the labor-of-love "citizen science" of hacking all the things.

Links:

• Sergey Bratus Bio

Episode sponsors:

• Binarly (https://binarly.io)
• FwHunt (https://fwhunt.run)

DARPA program manager Perri Adams joins the conversation to chat about her love for CTF hacking competitions, the hunt for leapfrog security technologies in DARPA’s Information Innovation Office (I2O), and the goal of the new AI Cyber Challenge (AIxCC) offering $20 million in prizes to teams competing to develop AI-driven systems to automatically secure critical code.

Links:

• DARPA AI Cyber Challenge Aims to Secure Nation’s Most Critical Software
• AIxCC - AI Cyber Challenge
• Follow Perri Adams on Twitter
• Google Brings AI Magic to Fuzz Testing
• AI-Powered Fuzzing: Breaking the Bug Hunting Barrier

Episode sponsors:

• Binarly (https://binarly.io)
• FwHunt (https://fwhunt.run)

Peculiar Ventures chief executive Ryan Hurst joins the show to talk about a career that spanned 20 years at Microsoft and Google, his work building the plumbing for encryption on the web, unsolved problems in BGP security, the hype and promise of AI, and Microsoft's ongoing cloud security hiccups.

Links:

• Projects - Peculiar Ventures
• Ryan Hurst on LinkedIn
• Binarly - AI-powered firmware security
• SandboxAQ

Episode sponsors:

• Binarly (https://binarly.io)
• FwHunt (https://fwhunt.run)

Bessemer Venture Partner's Jason Chan returns to the show for a frank discussion on the state of cyber, including thoughts on Microsoft's prominent security failures, the meaning of layoffs hitting security teams, the excitement around AI, and the long road ahead. The former Netflix security chief also talks about merging of the IT and security functions and the importance of cybersecurity proving its value to the business.

Links:

• Jason Chan, VP, Information Security, Netflix
• Jason Chan on LinkedIn
• Follow Jason on Twitter / X
• Jason Chan - Bessemer Venture Partners — Jason Chan is an operating advisor at Bessemer where he brings over twenty years of experience in cybersecurity and is especially passionate about large-scale systems, cloud security, and improving security in modern software development practices. Most recently, Jason built and led the information security team at Netflix for over a decade. His team at Netflix was known for its contributions to the security community, including over 30 open-source security releases and dozens of conference presentations. He also previously led the security team at VMware and spent most of his earlier career in security consulting. 

Episode sponsors:

• Binarly (https://binarly.io)
• FwHunt (https://fwhunt.run)

GitHub security chief Mike Hanley joins the show to discuss merging the CSO and SVP/Engineering roles, securing data and code in an organization under constant attack, the thrilling promise of AI to the future of secure code, the dangers of equating SBOMs to supply chain security, and new SEC reporting rules for CISOs.

Links:

• Michael Hanley on LinkedIn
• GitHub Security
• GitHub Copilot AI pair programmer
• Big Tech Vendors Object to US Gov SBOM Mandate

Episode sponsors:

• Binarly (https://binarly.io)
• FwHunt (https://fwhunt.run)

Cenlar FSB security chief Jason Shockey joins the show to discuss the task of securing a financial institution, pivoting from a career in the military to the private sector, the current state of the job market, managing risk from APTs, and the mission of his My Cyberpath project.

Links:

• Jason Shockey on LinkedIn
• My Cyberpath
• Jason Shockey joins Cenlar FSB
• NIST Cybersecurity Framework

Episode sponsors:

• Binarly (https://binarly.io)
• FwHunt (https://fwhunt.run)

Faraday chief executive Federico 'Fede' Kirschbaum joins the show to talk about building a startup in the vulnerability management space, the intricacies of the Argentinian hacking culture, stories of exploit writers and mercenary hackers, and the overwhelming U.S.-centric view of the cybersecurity industry.

Links:

• Faraday at Black Hat 2023
• Fede on LinkedIn
• Federico Kirschbaum on Twitter
• Ekoparty
• Padding Oracles Everywhere (Rizzo/Duong)

Episode sponsors:

• Binarly (https://binarly.io)
• FwHunt (https://fwhunt.run)

Product security executive Kymberlee Price joins the show to gab about life in the trenches at the Microsoft Security Response Center (MSRC), the challenges of maintaining healthy hacker/vendor relationships, the harsh realities of bug-bounty programs, and thoughts on the cybersecurity job market.

Links:

• Kymberlee Price on LinkedIn
• BlueHat Seattle Closing Remarks - YouTube
• Keynote: Defenders Assemble - Kymberlee Price
• BlueHat | Microsoft

Episode sponsors:

• Binarly (https://binarly.io)
• FwHunt (https://fwhunt.run)

New General Manager of the Open Source Security Foundation (OpenSSF) Omkhar Arasaratnam joins Ryan for a candid conversation on the challenges surrounding open-source software security, lessons from the Log4j crisis, the value of SBOMs, and the U.S. government efforts at securing America's software supply chains.

Links:

• OpenSSF Welcomes New General Manager
• OpenSSF Alpha-Omega
• CSRB report on Log4j
• Big Tech Object to US Gov SBOM Mandate
• Omkhar Arasaratnam on LinkedIn

Episode sponsors:

• Binarly (https://binarly.io)
• FwHunt (https://fwhunt.run)

Rishi Bhargava and the team of entrepreneurs behind Demisto’s $560 million exit are back at it with a new startup building technology in the customer identity market. The new company, called Descope, raised an abnormally large $53 million seed-stage funding round with ambitious plans to take on rivals big and small in the customer identity and authentication space.

On this episode of the podcast, Bhargava joins Ryan to talk about the VC funding landscape, the confusing 'identity' category, the responsibilities of vendors in the identity ecosystem, the emergence of Microsoft and Google as big security players, and some thoughts on the Israeli startup scene.

Links:

• Rishi Bhargava on LinkedIn
• Descope Targets Identity Market with Massive $53M Seed Round
• Palo Alto Networks to acquire Demisto for $560M

Episode sponsors:

• Binarly (https://binarly.io)
• FwHunt (https://fwhunt.run)

Symmetry Systems executive Claude Mandy joins the show to discuss a career in the security trenches, life as a CISO during the WannaCry crisis, and first principles around data security. We dig into the emerging Data Security Posture Management (DSPM) category and how it extends the Zero Trust philosophy to hybrid cloud data stores.

Links:

• Claude Mandy on LinkedIn
• What is Data Security Posture Management (DSPM)?
• The DataGuard Solution
• Follow Claude Mandy on Twitter

Episode sponsors:

• Binarly (https://binarly.io)
• FwHunt (https://fwhunt.run)

Munich Re Ventures investment principal Sidra Ahmed Lefort joins Ryan Naraine for a frank discussion on the state of VC funding in cybersecurity, the rise (and coming correction) in the land of security 'unicorns', the massive early-stage funding rounds and what they mean, layoffs and contractions, and the places in security still ripe for innovation.

Links:

• Sidra Ahmed Lefort on LinkedIn
• Portfolio | Munich Re Ventures
• What's Going on With Cybersecurity VC Investments?
• Video: VC View - Trends in Cybersecurity Innovation

Episode sponsors:

• Binarly (https://binarly.io)
• FwHunt (https://fwhunt.run)

SecuRepairs.org co-founder Paul Roberts joins the show to discuss his passion for the right to repair consumer electronic devices, the big-ticket lobbyists working to undermine the movement, and how changing consumer spending patterns are helping to rack up regulatory wins.

Links:

• SecuRepairs Mission
• Paul Roberts, Editor-in-Chief, Security Ledger — Paul Roberts, Editor-in-Chief, Security Ledger
• Paul Roberts on Twitter
• Fight to Repair Substack
• Tesla is a Vocal Opponent of the Right to Repair. Now we know why. — Tesla is a Vocal Opponent of the Right to Repair. Now we know why.

Episode sponsors:

• Binarly (https://binarly.io)
• FwHunt (https://fwhunt.run)

Luta Security founder and chief executive Katie Moussouris joins the show to dish on the bug-bounty ecosystem, the abuse of hacker labor, and the common mistakes made by even the most mature security programs. A security industry pioneer, Moussouris argues for better use of bug bounty metrics to drive decisions and a heavy focus on reducing duplicate vulnerability submissions.

Links:

• Katie Moussouris - Wikipedia
• Katie Moussouris on Twitter
• Luta Security's Vulnerability Coordination Maturity Model
• Referral Bounty | Luta Security

Episode sponsors:

• Binarly (https://binarly.io)
• FwHunt (https://fwhunt.run)

Caleb Sima is a cybersecurity lifer now responsible for security at Robinhood, a mobile stock trading platform. Caleb joins Ryan on the show to discuss the early hacking scene in Atlanta, building SPI Dynamics in a webapp security powerhouse, the evolution of attack surfaces, the CISO's changing priorities, and more...

Links:

• Caleb Sima on LinkedIn
• HP Snaps up SPI Dynamics
• Caleb Sima (@csima) on Twitter
• Robinhood Bio
• First 90 Days In the CISO Chair

Episode sponsors:

• Binarly (https://binarly.io)
• FwHunt (https://fwhunt.run)

Famed hacker Charlie Miller joins Ryan on the podcast to discuss a career in vulnerability research and software exploitation. Charlie talks about hacking iPhones and Macbooks at Pwn2Own, the 'No More Free Bugs' campaign, the Jeep hack that led to a recall and his current work securing Cruise's self-driving fleet. Plus, an interesting take on iOS Lockdown Mode.

• Episode sponsors: Binarly and FwHunt - Protecting devices from emerging firmware and hardware threats using modern artificial intelligence.

SentinelLabs malware hunter Juan Andres Guerrero-Saade (JAG-S) returns to the show to discuss how big-game attribution has changed over the years, the nation-state APT landscape, Mudge and the nightmares facing CISOs, and a mysterious actor named Metador.

Links:

• Report: The Mystery of Metador
• J. A. Guerrero-Saade on Twitter
• LABScon - Security Research in Real Time
• Researchers Crowdsourcing Effort to Identify Mysterious Metador APT

• Episode sponsors: Binarly and FwHunt - Protecting devices from emerging firmware and hardware threats using modern artificial intelligence.

Dan Lorenc and a team or ex-Googlers raised $55 million in early-stage funding to build technology to secure software supply chains. On this episode of the show, Dan joins Ryan to talk about the different faces of the supply chain problem, the security gaps that will never go away, the decision to raise an unusually large early-stage funding round, and how the U.S. government's efforts will speed up technology innovation.

Links:

• Dan Lorenc on LinkedIn
• Chainguard Enforce
• Sounil Yu on SBOMs, software supply chain security
• Extending SBOMs to the firmware layer
• Cybersecurity Leaders Scramble to Decipher SBOM Mandate

A conversation with Bishop Fox chief executive Vinnie Liu on the origins and evolution of the pentest services business, the emerging continuous attack surface management space, raising $75m as a 'growth mode' investment, cybersecurity's people problem, and much more...

Links:

• Vinnie Liu on LinkedIn
• Vinnie Liu at MS BlueHat v8
• Anti-Drone Tools Tested: From Shotguns To Superdrones

Network security pioneer Marty Roesch takes listeners on a trip down memory lane, sharing stories from the creation of Snort back in the 1990s, the startup journey of building Sourcefire into an IDS/IPS powerhouse and selling the company for $2 billion, the U.S. government killing a Check Point acquisition, and his newest adventure as chief executive at Netography.

Links:

• Martin Roesch on LinkedIn
• Martin Roesch - Wikipedia
• Martin Roesch on Twitter
• The early days of Snort
• Cisco Banks On Sourcefire And Snort For Its Security Future
• Check Point Aborts Sourcefire Acquisition
• Martin Roesch joins Netography as CEO

Serial entrepreneur Subbu Rama joins the show to talk about building a cybersecurity business, addressing the problem of entitlement sprawl and raising seed funding for intelligent access governance technology.

Links:

• BalkanID Platform Architecture
• Subbu Rama on LinkedIn
• Subbu Rama on Twitter

Maddie Stone is a security researcher in Google's Project Zero team. Over the last few years, she has publicly tracked the discovery and disclosure of zero-day malware attacks seen in the wild. On this episode, Maddie joins Ryan to chat about three years of zero-day exploitation data, the nuances around 0day disclosures, the never-ending struggle to mitigate memory corruption attacks and the need for transparency among affected vendors.

Links:

• A Year in Review of 0-days Used In-the-Wild in 2021
• Maddie Stone on LinkedIn
• 0day "In the Wild" Spreadsheet
• Maddie Stone on Twitter

Symmetry Systems co-founder Mohit Tiwari has been studying data security and control flow access for more than a decade. On this episode of the podcast, he discusses his transition from academia to data security entrepreneurship, first principles around the data security and privacy, the exploding DSPM (data security posture management) space, and the mission to solve one of cybersecurity's biggest problems.

Links:

• Mohit Tiwari | University of Texas at Austin
• Mohit Tiwari on LinkedIn
• Follow Mohit on Twitter
• Symmetry Systems DataGuard
• Why is DSOS an unsolved problem?

Director at Google's Threat Analysis Group (TAG) Shane Huntley joins the show and talks about lessons from the 2009 Aurora attacks, the surge in zero-day discoveries, the usefulness of IOCs, North Korean APT operations, private sector mercenary hackers, the expanding nation-state threat actor map, and much more...

Links:

• Shane Huntley on LinkedIn
• Twitter: @ShaneHuntley
• Project Zero: FORCEDENTRY Sandbox Escape
• Google and Operation Aurora
• A walk through Google Project Zero metrics
• Project Zero: 0day "In the Wild" Database

Netskope security chief Lamont Orange joins the show to chat about the changing role of the Chief Information Security Officer (CISO), managing security as a business enabler, the cybersecurity skills shortage, and his own unique approach to security leadership.

Links:

• Lamont Orange: A CISO's Point of View on Log4j
• Five minutes with Lamont Orange
• Lamont Orange columns on DarkReading

Thinkst founder and CEO Haroon Meer joins Ryan Naraine on the show to talk about building a successful cybersecurity company without venture capital investment, fast-moving attack surfaces and the never-ending battle to mitigate memory corruption issues.

Links:

• Haroon Meer on Twitter
• Thinkst: We bootstrapped to $11 million in ARR
• Memory Corruption and Hacker Folklore
• Thinkst Canary
• Podcast: Haroon Meer, Thinkst Applied Research

Chief executive officer at Egress Tony Pepper joins the show to talk about entrepreneurship in the fast-paced age of modern computing, the state of e-mail security, and his company's bet on securing the future of messaging in the enterprise.

Links:

• About Egress
• Tony Pepper on LinkedIn
• InfoSecurity Interview: Tony Pepper

Justin Campbell leads Microsoft’s Offensive Research and Security Engineering (MORSE) team. He joins the show to talk about his team's discovery of a SolarWinds in-the-wild zero-day, the never-ending stream of memory safety vulnerabilities, the evolving 'shift-left' mindset and Redmond's ongoing work to reduce attack surfaces.

Links:

• Microsoft Flags SolarWinds Serv-U 0-day exploit
• SolarWinds Serv-U RCE advisory
• In-the-wild zero-day counter
• Hacked SolarWinds Software Lacked Basic Anti-Exploit Mitigation

Global director of Kaspersky's GReAT research team Costin Raiu returns to the show for an indepth discussion on the mobile surveillance business, the technically impressive FORCEDENTRY iOS exploit, the ethical questions facing exploit developers and the role of venture capitalists in the mobile malware ecosystem.

Links:

• Google Says NSO Pegasus Zero-Click 'Most Technically Sophisticated Exploit Ever Seen'
• Project Zero: A deep dive into an NSO zero-click iMessage exploit
• The Million Dollar Dissident: NSO Group's iPhone Zero-Days
• Pegasus vs. Predator: Doubly-Infected iPhone Reveals Cytrox Mercenary Vendor
• Proliferation of Cyber Capabilities in International Arms Markets

Corellium co-founder and chief executive Amanda Gorton joins the show to talk about raising $25 million in Series A funding, the market fit for device modeling and software virtualization products, the trials and tribulations of startup life, and the nuances of operating in the world of offensive security research.

Links:

• Corellium Secures $25M Series A Round
• Corellium Lands $25 Million Investment for Virtualization Tech
• Corellium for Journalists

Venky Venkateswaran works on client security and roadmap planning at Intel Corp. On this episode of the podcast, Venky joins Ryan to talk about a reported surge in firmware attacks, Intel's ongoing investments in cybersecurity, the importance of transparency and open documentation, and the company's push to fight ransomware with its flagship TDT (Threat Detection Technology).

Links:

• > Extending SBOMs to the firmware layer
• > Hardware Based Security for Business (Intel)
• > Alex Matrosov on the state of firmware security
• > Microsoft Launches JIT-Free 'Super Duper Secure Mode' Edge Browser Experiment

Episode sponsored by SecurityWeek.com

JupiterOne CISO Sounil Yu joins the show to sift through the noise and explain the value of SBOMs (software bill of materials), the U.S. government's response to software supply chain security gaps, and what every buyer and seller should be doing to prepare for major changes in the ecosystem.

Episode sponsored by MongoDB.com.

Algirde Pipikaite, the project lead of the Governance and Policy team at the Center for Cybersecurity at the World Economic Forum, joins the podcast to discuss her work to bridge the gap between cybersecurity experts and decision makers. We chat about communicating risk to different audiences, cybersecurity as a business enabler, and the need for more global private-public collaboration.

Links:

• Algirde Pipikaite Profile
• Developing the Future of Policy for Cybersecurity
• CNBC: Cyberattacks on the rise amid coronavirus crisis, WEF expert says

Josh Schwartz, aka FuzzyNop, oversees offensive security, product engineering, and security engagement functions at Verizon Media (soon to be Yahoo). He shares insights on red-teaming, overcoming the adversarial relationship between red/blue teams. chasing the "feeling" of being secure, and why there's a need for more empathy in cybersecurity.

(Episode sponsored by Eclypsium)

Netflix threat detection and response practitioner Michael Laventure joins the show to talk about a simple goal to "do security better." We discuss a transition from .gov security work to the fast pace of Silicon Valley, the culture clashes that can make life difficult, the value of threat-intelligence to a modern security program, and why we should all be optimistic about the future of cybersecurity.

Founding-member of the Google security team Heather Adkins joins the conversation to stress the importance of defenders playing the "long-game," the need for meaningful culture-change among security leaders, the expansion of zero-trust beyond identities and devices, and some thoughts on the future of electronic voting.

Sponsored by Eclypsium:
Eclypsium ships an enterprise device platform that provides visibility and mitigation for malicious activity all the way down to the firmware and hardware level. Think of it as one platform to discover, inventory, assess risk, patch, and detect compromises and supply chain breaches across your entire fleet of devices. Request a demo at Eclypsium.com.

Facebook product security leader Collin Greene joins the show to discuss philosophies around securing code at scale, the pros and cons of relying on bug-bounty programs, the humbling lessons from being on the wrong side of a malicious hack, and why "shift-left" should be the priority for every defender.

Links:

• Six Buckets of Product Security
• Outcomes > Bugs

Former head of offensive security research at NVIDIA Alex Matrosov joins the show to talk about the state of security at the firmware layer, the need for specialized reverse engineering skills, the limits of bug-bounty programs for hardware research, and the future of advanced malware analysis.

Links:

• Alex Matrosov on LinkedIn
• Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
• Bootkit threats: In-depth reverse engineering & defense

Charles Nwatu is an engineering manager in Netflix's Security, Technology Assurance & Risk organization. He joins Ryan on the show to talk about a career pivot from U.S. gov service into cybersecurity in Silicon Valley, the exciting parts of compliance and risk management, and why newcomers should consider jobs in SOCs to kickstart security careers.

Links:

• Charles Nwatu on LinkedIn — Corporate Security & Security, Technology Assurance & Risk, Netflix
• How Netflix’s Charles Nwatu Turned His Desire to Help People Into a Career in Information Security

Director of Internet Analyis at Kentik, Doug Madory, joins the podcast to shed light on the mysterious appearance of unused IPv4 space belonging to the US Department of Defense: the strange connection to a Florida company now managing the world's largest honeypot; the odd Inauguration Day timing of this discovery;, and why enterprise network defenders should pay very close attention.

Links:

• The Mystery of AS8003 — On January 20, 2021, a great mystery appeared in the internet’s global routing table. An entity that hadn’t been heard from in over a decade began announcing large swaths of formerly unused IPv4 address space belonging to the U.S. Department of Defense.
• Pentagon explains odd transfer of 175 million IP addresses to obscure company | Ars Technica — "Did someone at the Defense Department sell off part of the military's vast collection of sought-after IP addresses as Trump left office? Had the Pentagon finally acted on demands to unload the billions of dollars worth of IP address space the military has been sitting on, largely unused, for decades?"
• AS8003 GRS-DOD

Sponsored by Eclypsium

Chris Castaldo has a fascinating career in cybersecurity. A U.S. army veteran who dabbled in tech during the early 2000s dot-com boom before settling on security, Castaldo is now CISO at Crossbeam and a decision-maker with a bird's eye view into how the should be protected.

Castaldo joins Ryan on the show to talk about his new book on securing the startup, why he's the rare CISO that loves security vendor briefings and demos, and his vision of the CISO's top priorities.

Shubham Shah is a brilliant hacker who quit his pen-testing job to hack for cash in bug-bounty programs. He quickly mastered the game of automating automating pre-breach reconnaissance and zero in on common webapp programming and configuration errors. Shubs, now co-founder at Assetnote, joined Ryan on the show to talk about the stressful life of a fulltime bug-bounty hunter, advancements in web app security defense, and how automation is completely rewriting the bug-discovery business.

Links:

• Assetnote
• Shubs Shah: Hacking on Bug Bounties for Four Years
• High frequency security: 120 days, 120 bugs
• h2c Smuggling: Request Smuggling Via HTTP/2 Cleartext (h2c)
• H2C Smuggling in the Wild

Newly appointed Executive Editor at VentureBeat Fahmida Rashid joins the show to talk about her introduction to computer networking in school, her winding path into cybersecurity journalism, the security stories worth telling, the venture capital ecosystem, and the surge in unicorn cybersecurity startups.

Links:

• Follow Fahmida on Twitter
• Fahmida Rashid on LinkedIn

Microsoft's David Weston joins Ryan on the show to discuss a new report that shows 83% of organizations have been hit by a firmware attack in the last two years.

As businesses continue to under-invest in resources to prevent firmware attacks, Weston warns about the inevitability of advanced attacks at the 'invisible' layer, the absence of skills and tools to find malicious activity in firmware, the nightmare of navigating the patching treadmill, and exciting tech innovation in the space.

At age 16, Lena Smart finished high school and went into the workforce. At the time, a university degree and advanced education were not available to her in a single-parent household in Scotland. Today, she is CISO of MongoDB, a $16 billion company with thousands of employees around the world and she is a leading voice on education and talent-identification in cybersecurity.

Lena joins Ryan on the show to tell stories from her childhood, the decisions that carved a path for a successful career in security, the anguish of imposter syndrome, the joys of building a modern security program, and impressive tech innovation moving the security needle.

Patrick Howell O’Neill is the cybersecurity senior editor for MIT Technology Review. In this out-of-band episode of the show, Patrick joins Ryan to discuss his latest scoop on Google Project Zero's visibility into malware used in a Western .gov counter-terrorism operation, the tricky nature of attributing nation-state backed attacks, Apple's iOS becoming a hot target and the controversies surrounding all of these conversations. Follow Patrick on Twitter.

After a 20-year career working in the offensive security reseach trenches, security industry pioneer Nico Waisman made the transition to defense to head up privacy and security efforts at ride-sharing firm Lyft. Waisman joins Ryan Naraine on the show to talk about early hacking in Argentina, the contributions of non-Americans to the security industry, and much much more...

Ron Brash joins Ryan Naraine on the show to talk about the recent water supply hack, the state of security in ICS/SCADA installations, the checklist of affordable things for critical infrastructure defenders, and the things we should worry -- and not worry -- about.

Ron is Director of Cyber Security Insights at Verve Industrial Protection, a critical infrastructure-focused organisation that sells services and products that work across IT and OT environments for effective cyber security, controls and management.

This is the republication of an interview first conducted in March 2013 with then-VUPEN chief executive Chauki Bekrar. The audio file was lost in several podcast platform transfers and I'm glad to be able to retain this interview for historical purposes.

The recording was conducted in the hallways of the CanSecWest Pwn2Own hacking contest in 2013 where Bekrar's team of hackers demo'd a zero-day attack against Microsoft Internet Explorer 10 on Windows 8, an exploit that bypassed all mitigations including the browser sandbox. We chat about the controversies surrounding the sale of zero-day vulnerabilities and exploits, his company’s business dealings and the work that goes into winning the CanSecWest Pwn2Own hacker contest.

(Please excuse the audio quality and background chatter, this was recorded with a small handheld device in a noisy room).

Journalist-turned-intel analyst Selena Larson joins the podcast to discuss the nuances of cybersecurity journalism, making the shift to analyzing intelligence and writing for a private audience, the ransomware epidemic, and the state of critical infrastructure security.

Links:

• Selena Larson Presentations
• Follow Selena on Twitter
• Selena Larson on Bringing New & Diverse People into the ICS Security Community
• ICS OSINT: An Attacker’s Perspective
• Selena Larson profile

Gusto chief security officer Fredrick 'Flee' Lee talks about his passion for democratizing security, solving problems for small businesses, the responsibilities of being a black security leader, and the people and experiences that influenced him along the way.

Links:

• Gusto Appoints Fredrick Lee Chief Security Officer
• Secret CSO: Fredrick "Flee" Lee, Gusto
• CISO to CISO Webcast with Fredrick "Flee" Lee

TechCrunch security writer Zack Whittaker stumbled into journalism while in college and has carved a successful career covering cybersecurity the last decade. He joins the podcast to talk about landing at ZDNet out of university and some lucky breaks along the way. Zack also talks about the trials of living and working with Tourette syndrome.

Netflix security leader Jason Chan talks about the connections between ultra-marathons and running a robust security program, his view of the defender's top priorities, the talent shortage in cybersecurity, and the shifting patterns that drive secure code delivery.

Links:

• Jason's ultra-marathon photos
• Keynote: Keeping Developers and Security Teams Happy
• Developer Empathy with Jason Chan of Netflix (Podcast)
• Hacktivity 2014: Jason Chan -- Building a Glass House
• I Want Your Job: Jason Chan, Netflix

After a career in government that included physical security work for the U.S. State Department, Matt Honea transitioned to Silicon Valley and turned his attention to the cyber-insurance space. He joins the podcast for a frank discussion on cyber-insurance, ransomware payments and trends, and his opinions on innovation in security.

Links:

• Matt Honea blog posts
• Safe Harbor Programs: Ensuring the Bounty Isn't on ...

Cybersecurity journalist and author Andy Greenberg joins the podcast to talk about his career as a journalist, the ins-and-outs of negotiating a big story with sources, the intricacies of writing a good book, and some of his biggest stories to date.

Links:

• Follow Andy Greenberg on Twitter
• Andy Greenberg's Wired bio
• Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers

After a career in diplomacy at the U.S. State Department, Uber's Brooke Pearson headed to Silicon Valley to find a new path in cybersecurity. We chat about her early interest in Russia and international relations, a life-changing chance encounter during an airport layover, using non-traditional skills to find success in tech, and her passion for helping minorities find meaningful careers in security.

[ DISCLAIMER: These are the personal opinions of Tim MalcomVetter and do not construe an official endorsement or business relationship of his employer with any product or service. ]

Walmart Red Team lead Tim MalcomVetter joins the podcast to talk about red-team/blue team dynamics, the adversarial relationship between the two sides, the mentality of a determined attacker, and why everyone in cybersecurity should give jiu-jitsu a try.

Links:

• TIm's Articles on Medium
• Follow Tim MalcomVetter on Twitter
• LinkedIn Profile

Hacker-turned-entrepreneur Matt Suiche reminisces about the hacking scene in France, his introduction to memory forensics and how his research led to presenting at Microsoft's Blue Hat, the grind of building and selling a company, and his passion for supporting young security researchers in developing countries.

Links:

• OPCDE Online
• Comae Technologies
• Follow Matt Suiche on Twitter

AT&T Cybersecurity's Jaime Blasco talks about falling in love with security as a high-school student in Spain, finding a career path in pen-testing and offense, shifting to building defensive technologies and his current passion for exploring the value of machine learning.

Links:

• AT&T AlienLabs
• Follow Jaime on Twitter
• Open Threat Exchange (OTX)

Mobile security pioneer Collin Mulliner talks about the early days of hacking PalmOS devices, the current state of smartphone platforms, his work on securing self driving cars, and why he built and open-sourced a firmware analyzer tool.

Links:

• Firmware Analyzer — FwAnalyzer is a tool to analyze (ext2/3/4), FAT/VFat, SquashFS, UBIFS filesystem images, cpio archives, and directory content using a set of configurable rules.
• Collin's blog
• PDF: Continuous Automated Firmware Security Analysis

Hitch Partners principal Michael Piacente dishes on the cybersecurity job market during an economic crisis, the intricacies of recruiting top-flight security talent, the high rate of turnover among CISOs, and why companies should spend more time on writing better job descriptions.

Links:

• WSJ: CISOs stay on the job less than three years, compared with nearly seven years for CEOs
• Exploring the CISO's personal brand

Security industry pioneer Dave Aitel dishes on entrepreneurship, fostering a "one team, one parking lot" culture, how lessons from his time at the NSA still guides his decisions, and his approach to blunt, honest marketing. We also discuss a shared passion for Brazilian Jiu-Jitsu and his work supporting Project Grapple in Miami.

Links:

• Project Grapple, The Jiu-Jitsu Non Profit Changing Lives
• Aitel Foundation
• Infiltrate Conference
• Daily Dave (mailing list)

Former Chief Security Scientist at Bank of America, Sounil Yu, explains why he created the Cyber Defense Matrix framework and how organizations are using it to drive visibility and security decisions in multiple places. We discuss securing "cattle vs pets," the next era of security innovation, and the increasing security poverty line that hurts small- and medium-sized businesses.

Links:

• Cyber Defense Matrix — The Cyber Defense Matrix helps us understand what we need organized through a logical construct so that when we go into the security vendor marketplace, we can quickly discern what products solve what problems and be informed on what is the core function of a given product. In addition, the Cyber Defense Matrix provides a mechanism to ensure that we have capabilities across the entire spectrum of options to help secure our environments.
• Cyber Defense Matrix Reloaded — This is an update to the Cyber Defense Matrix briefing given at the 2019 RSA Conference. Cybersecurity practitioners can use this to organize vendors, find gaps in security portfolios, understand how to organize security measurements, prioritize investments, minimize business impact, visualize attack surfaces, align other existing frameworks, and gain a fuller understanding of the entire space of cybersecurity.

In an industry where 10-15% of staff are women, Akamai's security team is 40% women and growing. Chief security officer Andy Ellis joins the podcast to share lessons on practical things -- some subtle, some major -- that pushed real diversity on Akamai's security team.

Links:

• One company’s successful approach to gender balance
• Video: 20 Years In: Security’s Grand Challenges, Then and Now
• Andy Ellis: Humans are Awesome at Risk Management

Veteran malware hunter Costin Raiu talks about writing his own an anti-virus program as a teenager in Romania, his work tracking advanced threat actors globally, and why he assumes his computer is compromised by at least three APT groups.

Links:

• "Equation Group" ran the most advanced hacking operation ever uncovered
• The adventures of lab ED011 — One Romanian campus computer lab both pentested the world and eventually helped protect it
• Costin Raiu on Twitter
• The "Red October" Campaign

Flashpoint chief executive Josh Lefkowitz talks about how his previous work as a counter-terrorism analyst underscored the value of contextual threat-intelligence, his company's approach to gathering and analyzing data, and his mission to be an extension of a client's security team.

Links:

• Flashpoint - Library
• '7 Minutes' with Flashpoint CEO Josh Lefkowitz
• Video: Josh Lefkowitz on AlphaBay's demise

BlackBerry security response executive Christine Gadsby joins the podcast to talk about tough decisions around shipping secure software, the challenges of securing supply chain dependencies, BlackBerry's new ransomware recovery feature, and her upcoming Black Hat 2018 presentation.

Links:

• Black Hat 2018: Stop that Release There's a Vulnerability!
• Christine Gadsby on Twitter
• BlackBerry Enterprise Software - Security & Management for the Enterprise of Things
• Christine Gadsby on LinkedIn

Cybersecurity industry veteran Chad Loder talks about his time as co-founder of Rapid7, the decision to acquire Metasploit, lessons learned from moving to the CISO chair and why the industry still struggles with security awareness training.

Links:

• About Habitu8
• Chad Loder on Twitter
• Rapid7 Acquires Metasploit

Chris Castaldo, senior director of cybersecurity at 2U, Inc., joins Ryan on the podcast to talk about building a threat model for digitizing the education sector, his top priorities as a defender, new solutions that impress him, and why it's important to get independent third-party security assessments.

Links:

• Uptycs
• osquery | Easily ask questions about your Linux, Windows, and macOS infrastructure

Founder and CEO of Wire Security, Wim Remes, joins the podcast to discuss the intricacies of penetration testing, red-teaming, bug bounty programs, and calls for defenders to embrace continuous pen-testing.

Links:

• Wim Remes on GitHub
• Wim Remes on Twitter

Lacework Chief Security Architect Dan Hubbard joins the podcast to discuss his new research on container security, the challenges of securing cloud deployments, and why technological advancements have widened attack surfaces.

Links:

• Containers at risk (PDF direct download)
• Dan Hubbard on Twitter

David Weston manages the Windows Device and Offensive Security Research teams at Microsoft. He joins the podcast to talk about how proactive red-team exercises push major mitigations to Microsoft's products and the current state of security in the Windows ecosystem.

Links:

• Dave Weston on Twitter
• David Weston: Hardening with Hardware — In this talk, we will review the metamorphosis and fundamental re-architecture of Windows to take advantage of emerging hardware security capabilities.
• Windows 10 in S mode

SVP and Chief Information Security Officer (CISO) at Lending Club, Rich Seiersen, digs into the nuts and bolts of defending a financial services firm, his approach to finding quality cybersecurity talent, and the importance of confronting security with data. (Recorded during fireside chat at SecurityWeek’s CISO Forum).

Links:

• Book: How to Measure Anything in Cybersecurity Risk — How to Measure Anything in Cybersecurity Risk exposes the shortcomings of current "risk management" practices, and offers a series of improvement techniques that help you fill the holes and ramp up security.

Founder and CEO of GreyNoise Intelligence Andrew Morris (andrew___morris) talks about his “anti threat-intelligence” company, the ways SOCs are using it to filter through scanning noise and the trials and tribulations of bootstrapping a start-up.

Links:

• What is GreyNoise?

Managing Partner at YL Ventures, Yoav Leitersdorf (ylventures), explains the surge in cybersecurity investments in Israel, the priorities for his $75 million fund and which sectors are ripe for the picking.

Links:

• Ask A VC: Yoav Leitersdorf On The Cyber Security Opportunity — In this week’s episode of Ask A VC, we hosted YL Ventures’ Yoav Leitersdorf in the studio to talk about cyber security, innovations in Israel and more.

Principal Security Researcher at Recorded Future’s Insikt Group, Juan Andrés Guerrero-Saade (juanandres_gs), explains the nuances of good threat intelligence, sheds light on nation-state hacker activity and warns that adversaries don’t have to be “sophisticated” to launch successful attacks.

The founder and CEO of Dragos, Inc. Robert M. Lee (RobertMLee) cuts through the hype around threats to critical infrastructure and offers a matter-of-fact take on active defense, “hacking-back,” and nation-state espionage operations.

VP of Product at RiskIQ Brandon Dixon (@9bplus) delves into nation-state cyber operations, explains why it’s dangerous to underestimate North Korea’s capabilities, and his passion for roasting the perfect coffee bean.

Links:

• Split Key Coffee
• Split Key Coffee on Medium
• Tainted Leaks: Disinformation and Phishing With a Russian Nexus - The Citizen Lab — This report describes an extensive Russia-linked phishing and disinformation campaign. It provides evidence of how documents stolen from a prominent journalist and critic of Russia was tampered with and then “leaked” to achieve specific propaganda aims.

Slack security architect Ryan Huber talks about the gargantuan task of defending an organization with 8 million daily active users, burnout, and fatigue in security teams and a range of issues around bug bounties and penetration testing.

Links:

• Video of Rob Joyce's 2016 Enigma talk
• Ryan Huber on Twitter

Chief Technology Officer at Quarkslab Ivan Arce (@4dgifts) tells stories about the birth of penetration testing platforms, the concentration of hacking talent in Argentina, and his focus on security problems in the Android ecosystem.

Founder and CEO of Fyde (@FydeApp) Sinan Eren discusses the “iOS-ification” of platforms and the security ramifications, the dangers of running AV software, the iOS vs. Android security argument, and his new venture to address mobile phishing attacks.

Links:

• Security vendors need to stop doing more harm than good

Founder and CTO at Senrio Stephen Ridley (@s7ephen) talks about the abysmal state of IoT security, his recent exploitation of an IP camera, and router to exfiltrate corporate data and his experience as a minority in the security industry.

Links:

• Introducing - Senrio Discovery

Founder and CEO at MKACyber Mischel Kwon joins the podcast to address the state of the SOC (Security Operations Center) and how businesses should deal with issues around excessive alerts, incident response times, and outdated metrics.

Links:

• MKACyber
• Mischel Kwon on LinkedIn

CISO and VP of Strategy at Digital Shadows Rick Holland discusses his path in the information security industry, advancements in the threat intel space, and his passion for good bar-b-que.

Links:

• Rick Holland on LinkedIn
• Digital Shadows

Latacora Security founder Thomas Ptacek joins the podcast to weigh in on the cybersecurity skills shortage, his approach to recruiting and hiring, and what needs to be done to address diversity in the industry.

Links:

• Latacora -- Security Teams For Startups — Latacora does just one kind of engagement: we join your engineering team virtually and run security, for about a year. Then we help you hire someone full-time to replace us.
• Thomas H. Ptacek on Twitter

Co-founder and Chief Security Officer at Signal Sciences Zane Lackey riffs on DevOps, the almost impossible task of defending organizations from intruders, bug bounties versus penetration testing, and the pros and cons of launching a company with venture capital investment.

Links:

• Zane Lackey on LinkedIn
• Signal Sciences -The Next-Gen Web Protection Platform

Thinkst founder Haroon Meer talks about building a security company from scratch without VC funding, using Canaries to pinpoint signs of intruder activity, advancements in security research, and the state of the bug bounty market.

Links:

• Thinkst Canary - how it works
• Video : Enterprise security - A new hope
• Haroon Meer on Twitter

Red teamer and security researcher by day, nerdcore rapper by night, ‘int eighty’ joins the podcast to talk about his work breaking into computer systems, common security mistakes that people make, and his double life as a musician in Dual Core.

Links:

• Dual Core / International hip hop duo

Veteran cybersecurity writer Dennis Fisher joins the podcast to talk about his new journalism venture at decipher.sc, his preference for long-form writing, and the trends worth following in the security space.

Links:

• Dennis Fisher | Decipher — He is one of the co-founders of Threatpost and previously wrote for TechTarget and eWeek, when magazines were still a thing that existed. Dennis enjoys finding the stories behind the headlines and digging into the motivations and thinking of both defenders and attackers. His work has appeared in The Boston Globe, The Improper Bostonian, Harvard Business School’s Working Knowledge, and most of his kids’ English papers.
• Dennis Fisher on Twitter

Tim Maurer, a scholar at the Carnegie Endowment for International Peace, talks about nation state-backed hacking activity and the dangers of breaking trust in the global financial system.

Links:

• Tim Maurer - Carnegie Endowment for International Peace — Tim Maurer is the co-director of the Cyber Policy Initiative and a fellow at the Carnegie Endowment for International Peace. Since 2010, his work has been focusing on cybersecurity, human rights in the digital age, and Internet governance, currently with a specific focus on cybersecurity and financial stability.
• Tim Maurer on Twitter
• Cyber Mercenaries: The State, Hackers, and Power — Cyber Mercenaries explores the secretive relationships between states and hackers. As cyberspace has emerged as the new frontier for geopolitics, states have become entrepreneurial in their sponsorship, deployment, and exploitation of hackers as proxies to project power. Such modern-day mercenaries and privateers can impose significant harm undermining global security, stability, and human rights.

Principal and founding investor at ForgePoint Capital Cybersecurity William Lin talks about venture capital activity in the security space, sectors that are ripe for investment, missed bets on successful companies, and the cybersecurity talent shortage.

Links:

• William Lin on LinkedIn
• Forgepoint portfolio companies

Chief Information Security Officer at Turner Broadcasting Pete Chronis discusses his new book on solving the cybersecurity conundrum, the day-to-day grind of securing a global media organization, and the role of the CISO in the modern world.

Links:

• The Cyber Conundrum: How Do We Fix Cybersecurity?

Adobe’s Chief Security Officer Brad Arkin talks about setting and managing risk management priorities, protecting company infrastructure, the challenges of securing software, and the looming death of Adobe Flash Player.

Links:

• Brad Arkin on Twitter
• Security at Adobe

Director of Security at Facebook Aanchal Gupta joins the podcast to share her story and provide guidance for young women struggling to overcome societal obstacles.

Links:

• Aanchal Gupta on LinkedIn
• Facebook Security
• Cybersecurity Needs Diversity

Senior Director of Security and Compliance at Vera Security Tom Conklin talks about the pros and cons of using bug bounty programs, the challenges of managing risk in smaller companies, and why user awareness training is an ongoing headache for security administrators.

Links:

• Vera Security
• Tom Conklin on LinkedIn

Chief Information Security Officer at Fox News, Fox Business, and Fox Television John Terrill joins the podcast to talk about life in the CISO trenches and makes a bold prediction that could significantly change the cybersecurity narrative.

Links:

• John Terrill on Twitter

Co-founder and CEO of Recorded Future Christopher Ahlberg discusses the emergence of threat intelligence as a valuable security tool, the morals and ethics surrounding disclosure of nation-state attacks and the importance of tracking adversaries beyond the wall.

Links:

• Recorded Future
• Christopher Ahlberg on LinkedIn

As businesses struggle with security awareness training for employees, Elevate Security co-founder Masha Sedova argues that the focus should be on “behavior change” and recommends the use of positive motivation and available tools to get employees to make better security decisions.

Links:

• Masha Sedova on LinkedIn
• Hacker's Mind by Elevate Security
• Masha Sedova on Twitter

Veteran security journalist Paul Roberts talks about the creation of Security Ledger, his work covering cybersecurity, the democratization of media, and hiccups with IoT legislation.

Links:

• The Security Ledger
• Paul Roberts on Twitter

Dino Dai Zovi, co-founder and CTO of Capsule8, joins the podcast to talk about the fallout from the Meltdown and Spectre vulnerabilities, the transition from security research to managing a VC-funded start-up and reminisce about his time as a famous Pwn2Own MacBook hacker.

Links:

• Part One: Detecting Meltdown using Capsule8
• Part Two: Detecting Meltdown and Spectre by Detecting Cache Side Channels
• 10 questions for MacBook hacker Dino Dai Zovi
• Dino Dai Zovi on Twitter

Sharon Anolik, President and Founder of Privacy Panacea, talks about her work advising corporate clients on privacy and data protection issues, the looming chaos surrounding the European Union’s GDPR (General Data Protection Regulation) and the role she plays on ‘Silicon Valley.’

Links:

• Privacy Panacea
• Sharon Anolik on Twitter

Award-winning security journalist and author Kim Zetter talks about her work tracking cyber-espionage campaigns, why she uses an old school cassette player to record sensitive interviews and the dramatic changes sweeping the security industry.

Links:

• Kim Zetter on Twitter
• Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon: Kim Zetter: 9780770436193: Amazon.com: Books
• Was Georgia’s Election System Hacked in 2016?
• Top Voting Machine Vendor Admits It Installed Remote-Access Software on Systems Sold to States

Dark Reading executive editor Kelly Jackson Higgins joins the podcast to tell security journalism war stories, talk about her new WiFi-enabled refrigerator and some trends worth following closely.

Links:

• Kelly Jackson Higgins on Twitter
• Dark Reading

Computer security researcher and CEO of Luta Security, Katie Moussouris. talks about her life in the penetration testing trenches, advocating responsible security research, building bug bounty programs and the challenges of succeeding as a woman in the industry.

Links:

• Luta Security
• How I Got Here: Katie Moussouris
• It’s dangerous to conflate bug bounties and vulnerability disclosure | CSO Online
• Katie Moussouris (@k8em0) on Twitter