Security Voices

2+ years to interview Alfred Huger wasn’t too long to wait. After spending 8 years at Cisco following the acquisition of SourceFire, Al recently departed the networking giant to do his 4th startup in as many decades. Unbound from the usual PR police, Al candidly speaks on a wide range of topics from why he has stayed at companies long past acquisition and how to distinguish between a miserable and a winning acquirer. Having raised venture capital funding in the 90s until now, Al’s experience charts a timeline of what’s happened to cybersecurity funding over the last 4 decades. From hardscrabble early days to today’s megarounds and eyepopping valuations, Alfred explains how he’s raising funding for his new company and why even a successful entrepreneur is not likely to bootstrap their business on their own funds alone.Al shares his playbook for spotting the right product ideas along with some blunt words of caution for those excited about the latest industry analyst report. While cybersecurity veterans critiquing reviews and analysts is by no means novel, we go beyond an explanation of the negative implications to a new development from an unexpected place that is improving transparency and the industry in general. And that marketing plan? Al explains how it starts with your product and not your website.If you’ve ever thought about starting a cybersecurity company and wanted to sit down with a “been there done that” serial entrepreneur for a clear-headed, no nonsense dialogue, this episode is for you.

There are few people, if any, who have given more of themselves to the cybersecurity community than Lesley Carhart. Our conversation with Lesley came immediately after the 3rd annual PancakesCon, a free conference she conceived with a unique “20 on, 20 off” format that celebrates who we are outside of work as much as what we accomplish as security professionals. In the fashion of a person who is both an incident response expert and a community organizer, the conference was pulled together in a frantic 11 days after Omicron wreaked havoc on Winter conference schedules and there was a gap Lesley saw that needed to be filled.Having joined the Airforce Reserves just before 9/11 with the intent to become an airplane mechanic, Lesley’s career has been spent balancing military service along with “the usual” pressures of working in cybersecurity. She explains how she juggled her civilian and military life for 20 years up until her recent retirement as an Airforce Master Sergeant. Lesley recaps her 2 decades of service while laying out the good, the bad and the misconceptions for any who would follow in her footsteps.Alongside her cybersecurity day job and military service, Lesley also actively practices and teaches martial arts to children. We explore what motivates her passion for serving those around her, focusing on her early difficulties breaking into the cybersecurity industry in spite of having had her first programming job at the age of 15. Lesley, Jack and Dave conclude with a hopeful dialogue on what more we have to do to create a truly diverse and supportive cybersecurity community– and how it might be the key to finally resolving the current staffing and burnout crisis.BioLesley Carhart is a Principal Industrial Incident Responder at the industrial cybersecurity company Dragos, Inc. She has spent more than a decade of her 20+ year IT career specializing in information security, with a heavy focus on response to nation-state adversary attacks. She is recognized as a subject matter expert in the field of cybersecurity incident response and digital forensics.Prior to joining Dragos, she was the incident response team lead at Motorola Solutions. Her focus at Dragos is developing forensics and incident response tools and processes for uncharted areas of industrial systems. She is also a certified instructor and curriculum developer for the Dragos “Assessing, Hunting, and Monitoring Industrial Control System Networks” course.She has received recognition such as DEF CON Hacker of the Year, a “Top Woman in Cybersecurity” from CyberScoop,“Power Player” from SC Magazine, and is a 2021 SANS Difference Makers award nominee.In her free time, Lesley co-organizes resumé and interview clinics at several cybersecurity conferences, blogs and tweets prolifically about infosec, has served for 20 years in the USAF Reserves, and is a youth martial arts instructor.

Your fledgling startup has just been sued by one of the most powerful companies in the world. How do you defend yourself?And keep your company afloat?This was the challenge faced by Amanda Gorton, CEO of Corellium, a company whose virtualization platform enables efficient mobile security research and quality testing across a massive variety of devices. Sued by Apple for both copyright infringement and violation of the Digital Millennium Copyright Act (DMCA), Amanda was thrust into an exhausting balancing act of defending and running her young business at the same time. In this episode of Security Voices, she shares the details of how she survived and successfully defended her company.Dave and Amanda go beyond the lawsuit and into the tricky territory of companies like Corellium who provide a service whose sales process must be governed by a clear sense of ethics to avoid it falling into the wrong hands. She shares the real world challenges of developing and applying such a policy in a company and while it may be uncomfortable to trust a small company with such a weighty responsibility, they just might be the very best option we have.We explore the complicated nature of DMCA in a world that has changed dramatically since its anti-Napster driven inception back in the late 90s. From the NSA’s release of Ghidra to Web3, we muse on the future of the DMCA whose relevance feels to be slipping into the history books.BioAmanda Gorton is co-founder and CEO of Corellium, which provides an Arm-native cloud platform that virtualizes mobile and IoT devices across iOS, Android, and Linux. Corellium enables never-before-possible security research, development, and quality testing of apps, firmware, and hardware on Arm. Previously, Gorton co-founded and was the CEO of security startup Virtual, which was acquired by Citrix in 2014. She earned a degree in classics from Yale University.

What if there was someone who could take all of the best security research over recent months and distill it down into the greatest hits? Sort of like a Spotify “Release Radar”, but for the best talks at conferences. There is. It’s not in Blinkist. It’s (back) at ThinkstScapes after a multiyear hiatus.And it’s now gloriously free.This episode of Security Voices covers the return of Thinkstscapes with Jacob Torrey who led the reboot of the now quarterly report. In the interview with Jack and Dave, Jacob explains how he and the team at Thinkst devour and summarize the very best security research from thousands of presentations and hundreds of conferences across the globe.Jacob starts with some of his favorites, which focuses on an innovative research project not from a startup or researcher, but from a multi-decade antivirus company that went all in on an industrial controls system honeypot project. From there we cover ground that ranges from speculative execution vulnerabilities to a spate of embedded vulnerabilities, including a Hollywood style attack using laser pointers to compromise voice activated devices such as Amazon’s Alexa. In continuity from our last episode with Frank Pound, we also discuss a TCP timing attack that threatens to allow eavesdropping over satellite base station connections.Look for our next episodes to resume their normal, monthly cadence as we’ve found a means of streamlining our audio production and we now have a recording waiting in the wings. Enjoy the show!

Hundreds of inexpensive satellites are now regularly launched into space through SpaceX’s Smallsat Rideshare program. Some are sophisticated and commercial, others are DIY and experimental. They share space with now over 3,000 other artificial satellites orbiting the Earth. What could possibly go wrong?Frank Pound joins Jack and Dave for a conversation to answer the question of just how hackproof satellites really are and why it matters, starting with the Hack-a-Sat competition. Hack-a-Sat is an intensive capture the flag style competition currently in its second year where teams square off against one another to break into and defend satellite tech. And along the way, we learn that doing so requires encounters with strange software, hardware and not a small amount of hard math.The most known, visible satellite hack dates back to the 1980s and involves a broadcast takeover around Thanksgiving from a Max Headroom mask wearing man which ended in a spanking, but no real harm done. Jack and Dave explore the attack surface of satellites with Frank to find out when the next attack happens, where it’s likely to be. And along the way, we discover the Hubble Telescope’s terrible secret: ancient Javascript in its belly that’s likely kept on life support by some unfortunate government contractor. Throughout the hour-long conversation with Frank, one gets the impression that we’re still in the early days of satellite hacking. However, the breakneck pace of satellites being launched and their considerable potential vulnerability to cyber attacks point in the direction of a lot more than simply Max Headroom interruptions and GPS whoopsies in the future.

A clear pattern is emerging of security leaders also being anointed with responsibility for privacy. Some of the origins of this movement no doubt can be found in regulations like GDPR who blend requirements for both security and privacy in mandates for data breach response. While this may seem like a logical pairing for lawmakers, it can be anything but a happy marriage inside an organization as they not only compete for resources but also have divergent needs in areas such as data retention.Whitney Merrill, founder of the Defcon Crypto and Privacy Village and current Privacy Counsel at Asana, joins Jack and Dave to untangle the complicated relationship between privacy and security. From shared ground in areas such as longstanding shortages in staffing to profound differences elsewhere, security and privacy are just similar enough to allow those who combine them thoughtlessly to make a mess of them both. Case in point, Whitney explains that privacy is often not a risk exercise at all, but instead a legal matter. We conclude with Whitney’s clear, practical advice for CISOs who find themselves responsible for privacy for the first time to keep their head above water and a healthy distance from regulators.Our dialogue with Whitney also serves as a catch up session for anyone who wants to go past current headlines, from the latest on Clubhouse, Facebook and Grindr to mobile deanonymization and the unsavory business of data brokers. She explains just how hard it is to actually get an organization to properly respond to a data inquiry, but why she does it and how the visibility she provided on the struggle may have prompted the California Attorney General to recently take action against a very visible, repeat offender.

We’ve conditioned ourselves to look at our technology in a similar way we look at a box of tools: as instruments that passively do what we make them do. When we think of the future of artificial intelligence, it’s tempting to leap to fully autonomous solutions一 when exactly will that Tesla finally drive by itself? In our interview with Jamie Winterton, we explore a future where AI is neither a passive tool or a self-contained machine but rather an active partner.Human/machine teaming, an approach where AI works alongside a person as an integrated pair, has been advocated by the U.S. Department of Defense for several years now and is the focus of Jamie’s recent work at Arizona State University where she is Director of Strategy for ASU’s Global Security Initiative and chairs the DARPA Working Group. From testing A.I. assisted search and rescue scenarios in Minecraft to real war time settings, Jamie takes us through the opportunity and the issues that arise when we make technology our sidekick instead of solely our instruments.The central challenges of human/machine teaming? They’re awfully familiar. The same thorny matters of trust and communication that plague human interactions are still front and center. If we can’t understand how A.I. arrived at a recommendation, will we trust its advice? If it makes a mistake, are we willing to forgive it? And how about all those non-verbal cues that are so central to human communication and vary person to person? Jamie recounts stories of sophisticated “nerd stuff” being disregarded by people in favor of simplistic solutions they could more easily understand (e.g., Google Earth).The future of human/machine teaming may be less about us slowly learning to trust and giving over more control to our robot partners and more about A.I. learning the soft skills that so frequently make our other interpersonal relationships work harmoniously. But what if the bad guys send their fully autonomous weapons against us in the future? Will we be too slow to survive with an integrated approach? Jamie explains the prevailing thinking on the topic of speed and autonomy vs. an arguably slower but more optimal teaming approach and what it might mean for the battlefields of the future.Note: Our conversation on human/machine teaming follows an introductory chat about data breaches, responsible disclosure and how future breaches that involve biometric data theft may require surgeries as part of the remediation. If you want to jump straight to the human/machine teaming conversation, it picks up around the 18 minute mark.

Communications professionals are often quiet coaches. They work their magic behind the scenes. They hold their opinions tightly and express them infrequently. In short, their influence is everywhere but their fingerprints are often invisible.Melanie Ensign is having none of that. And we’re all the better for it. In this 64 minute interview, you’ll have the pleasure of meeting one of the most influential and outspoken communications executives in the world of cybersecurity and privacy. We begin with her role as press department lead for DEFCON, a role she’s held for 8 years and explains is that exact inverse of what you think it is.In our next topic, Melanie breaks out the verbal chainsaw and applies it with vigor to the voice-based social network Clubhouse. From privacy mistakes to seeming indifference to community feedback on the topic, she explains in detail why she recommends her clients (and anyone else) avoid Clubhouse until they clean up their act.The remainder of the conversation is a mini-master class on how to succeed in communications for everyone from startups to new CISOs. Melanie dissects press releases and what to do instead of hitting Business Wire every Tuesday if you’re a young company. Young or old company, she shares why using fear uncertainty and doubt (FUD) to persuade people ultimately fails and how we can move past it as an industry.Much of Melanie’s work at her company Discernible is working with CISOs and their teams on their internal communications. Influenced by her time working at Uber and Facebook, Melanie offers a game plan for moving from reactive to proactive communications. Her advice is not for the weak-willed: she refuses to clean up anyone’s mess and doesn’t think you should either.This quickly has become one of our favorite episodes and there’s truly something for everyone in the dialogue-- except for those who dislike a little profanity to season their conversations. Note the explicit tag and enjoy the ride.

We’ve met and passed the 1 year anniversary of the COVID-19 pandemic and cases of burnout are off the charts. We’re tired of Zoom. We’re tired of masks. Far too many kids are stuck at home instead of at school. The list could go on but the result is obvious: we’re burned out. The effect can be all the more profound for beleaguered security professionals who often struggle with burn-out even at the best of times. Jack and Dave return in this mini-episode for a quick conversation about how to identify and respond when you’re feeling like you’re burnt. While often it’s Dave and a guest doing most of the talking, in this episode Jack is driving. He shares from his deep experience on the topic, starting with an explanation of Maslach’s burn-out inventory which provides a structured, clear guide for determining just how crispy you are. The inventory is tailored for different professions, and while there is not one specific to cybersecurity, Jack and Dave explore specific aspects of our industry that up the stakes for burn out.Importantly, Jack explains why getting help from a pro versus leaning on friends and family can be essential. We wrap up with some time-honored approaches to restoring yourself so that you’re ready to jump back in the action once again.Note: For this short episode we tested a new production service and you’ll also note we updated the website and our branding as well. And transcripts! We now have 100% more (raw) transcripts than before. We’ll be unleashing all this magic soon on a new full-length podcast we recorded this past week with the one and only Melanie Ensign.

This episode of Security Voices is different. Let’s say you sat down at the end of a long day and had a casual drink with a few industry friends before dinner. The conversation quickly turns to serious topics which are all discussed with thoughtful insight, biting humor and some well-placed profanity. Welcome to the latest episode of Security Voices where Jack & Dave wander off the beaten path with Abhishek Agrawal and Ryan Noon, co-founders of email protection company Material Security. This one isn’t for the easily offended or as the soundtrack to a drive with the kiddos.“How not to suck as a vendor” is our introductory question, prompting an earnest conversation that starts with “don’t be an active cancer”, covers The Market for Silver Bullets and ultimately explains why the pandemic has made already questionable cyber security marketing even worse.After exploring some of our top influences, from The Autobiography of Malcom X and The Origin of Consciousness to Joe Frank’s avant garde radio show, The Other Side, we talk email security. In a year that changed so many things, Abhishek and Ryan explain how truly little changed for phishing attacks. While the trend is not compelling, the reason why is. They walk us through what truly makes phishing attacks successful: distracted people reacting to well-timed messages. This hard truth confounds the market for anti-phishing training as ultimately our susceptibility has much more to do with our emotional state at the time than it does our factual knowledge or even our learned behavior.If you’ve wondered what the difference between phishing and business email compromise (BEC) is, this episode is for you. Abhishek provides a clear explanation of both topics before we forecast an ominous new threat on the horizon: Really Scary Phishing™. Our wrap-up eschews the usual speed round and instead asks “What can cybersecurity can learn from other industries?” Jack lays out how the service industry has much to teach us about taking care of our own while Dave explains what he learned about empathy and innovation from the advertising industry. We depart on a hopeful note, as Ryan relays a story reminding how small acts of kindness can have a large impact on others.We’ll be taking a short break before the next episode as Jack and Dave attend to some important “life stuff”. See you in the Spring!

In our 1st episode of ‘21, we cap off our cloud security series with a recap of the major milestones, key trends and surprises across 2020 through the eyes of cloud expert and podcaster, Justin Brodley.  If you think you might have missed a few things that happened in the public cloud last year while waiting for news on COVID-19 vaccines, hitting refresh on election results or wondering when the four horsemen were finally going to show up, this episode is your chance to catch up and look ahead through the lens of both a practitioner and a pundit.Recorded during AWS Re:invent, we examine the cloud service provider conferences across the year to find a clear absence of security topics making their way to center stage.  While there were some notable developments, such as services providing easier cloud traffic analysis, much of the attention was elsewhere. Multi-cloud, in particular, leapt to the forefront for even Amazon who had been reluctantly dragging their feet.Our comparison of the different cloud service providers (CSP) conferences gives way to Justin’s take on key differences in their security strategies. From Google’s cloud native approach to Microsoft’s gambit to compete with stand-alone security offerings seemingly inspired by their experience on-premises, we breakdown the CSP’s strengths and weaknesses in cybersecurity.We chart the big moments of 2020 in the cloud, starting with outages that began with pandemic-strained capacity at Azure to the longest AWS outage witnessed in years around Thanksgiving.  While security news didn’t penetrate the headlines in many instances, Justin mentions some noticeable developments and what we hoped to see, but didn’t. Justin shares his top advice for anyone moving to the cloud to shore up their defenses. Given the vast amount of phishing, social engineering and misconfiguration issues in the cloud, it turns out that this has a lot more to do with improving our humans than it does our technology.  Nonetheless, the threat landscape meaningfully advanced with more complex, serious attacks in 2020 which moved well beyond “S3 bucket negligence”  that's perhaps best exemplified by the sophisticated Capital One breach.In the waning moments of our 6 episode cloud series, we look to the trends that will define 2021 and end with a hopeful signal that us security types just might be starting to get the hang of this cloud thing.​About JustinJustin Brodley is an IT Executive with 20+ years in SaaS, Cloud, and IT operations. Most recently as VP of Cloud Operations at ICE Mortgage Technology (formerly Ellie Mae).  He has helped companies transform their SaaS business, adopt cloud-native practices, and drive the cultural change of DevOps and DevSecOps.  He is also one of the hosts of https://www.thecloudpod.net a weekly cloud news show covering AWS, GCP, Azure, DevOps, and more. 

Investors make their money seeing things others don’t. Making big bets based on both digging into painstaking detail and their ability to forecast what will happen many years into the future. In this 5th and (almost!) final episode of our series on public cloud security, we get deep into the mind of Bucky Moore from Kleiner Perkins to learn how the flow of funding is both responding to and shaping our industry’s transformation from protecting our own data centers to renting them from others.Bucky begins by laying down our mile marker in the global cloud journey, answering the eternal question of “Are we there yet?” with a clear answer of “Not even close.” We follow these remarks to a walk through the different corners of the cyber security industry to see how they’re keeping pace. While many fail to impress, one of the legacy behemoths stands out from the pack as having impressively galvanized their business to meet the cloud challenge.Setting companies aside, Bucky, Jack & Dave identify what technologies are the likely casualties are long-term cloud transition followed by a look at the obvious new areas to invest. Bucky describes a few more obscure tech opportunities he and Kleiner Perkins are watching that may produce a surprise hit in the future.We explore the eye-popping amount of money raised by managed security services companies in 2020 such as Arctic Wolf, deepwatch & Pondurance and how they differ from the not-so-glamorous past of the MSSP market. Our discussion explains the hidden forces driving the new managed services opportunity and how we think it will play out over the years ahead.If you’re looking to understand the insanely high valuations of companies like Snowflake and CrowdStrike-- or wondering what a SPAC is-- Bucky weighs in on these topics as well as we also dive into the surprise investing frenzy of 2020. Spoiler alert: it has a lot to do with both money and investors having no better places to go.

As longstanding cybersecurity companies lumber their way into the public cloud and "born in the cloud" startups fight for attention, cloud observability titan Datadog entered the security market in 2020 with two new products.  This is far from the first time a company has used an adjacent market to make the cybersecurity leap. Oftentimes it fails, but Splunk immediately comes to mind as a crossover success. Jack and Dave interview Datadog’s Marc Tremsal in this episode to provide a view into what cybersecurity looks like from the lens of a company steeped in the world of cloud infrastructure.Datadog did not break down the doors of the industry, but rather was invited to enter by their customers whose needs were not being met by cybersecurity companies. Marc explains the mistakes that incumbents have made that have left a considerable opening for others— they have very little to do with technology and a lot to do with marketing and sales. From selling to CISOs rather than the people doing the work to overheated marketing claims, cybersecurity companies have alienated would-be cloud customers who openly wonder why they can’t buy protection the same way they purchase the rest of their infrastructure.Marc talks through the challenges of staffing a cloud security product team—  how much do you value deep domain expertise? Do you shrug it off and simply hire the best developers?  We explain how the hottest talent on the market will be cybersecurity veterans who take the time to retool for the public cloud as they will hit the “goldilocks” spot for a growing throng of potential employers.We wrap up a surprisingly optimistic conversation with a glance ahead to 2021 where Marc reckons consolidation of providers will be a key trend alongside a hard look at just how immutable some of our infrastructure truly is.

Our conversation with Rich Mogull was intended to provide an analyst view point on public cloud security. While Rich certainly delivered on this promise, the episode turned into something more important: therapy. If you find yourself wondering if you’re burnt out from cyber security and life in general, this is for you. Our conversation with Rich starts with the work he does in disaster response, focusing on his recent time responding to the COVID-19 pandemic as a paramedic.  He explains how key concepts of anti-fragility from responder culture such as “trench foot” and “changing your socks” also apply to the rough and tumble world of cyber security— especially in assessing yourself for burnout.If you find yourself drowning in work and straining to catch up to the rest of the organization's push to the public cloud, this is for you.  We discuss how this happens quite naturally in most places, resulting in a dysfunctional norm of security teams inadvertently being left behind but still responsible for protecting the public cloud. Rich lays out a recipe for getting back on track, starting with making sure it simply isn’t time to throw in the towel and find a better gig.If multi-cloud seems impossible to defend with the skills and resources you have, you’re probably right. Rich takes us through the mind-boggling complexity of what it takes to stay on top of a single public cloud environment, let alone several. He doesn’t mince words in his unflattering assessment of the challenges with all 3 major cloud service providers: Amazon, Google & Microsoft.We wrap up with a hopeful look at what lies ahead for protecting the public cloud. Rich and Dave share examples of how long standing problems such as re-architecting are now solvable and operational challenges can truly be simplified when mantras like “shift left” move from buzzword bingo to new reality.

In our 1st episode of this series, Teri provided an expert’s broad view of what’s happening with security in the public cloud. In this episode, Yelp’s Zach Musgrave does the opposite: we go into the trenches to understand what it takes to protect a fully cloud native business on a daily basis.While Yelp was born in ‘04, 2 years before Amazon launched its first AWS service, it started its cloud native journey in 2013. Their early transition makes the company one of the longest tenured organizations who have defended a cloud native business at scale. Zach shares the fundamentals of how they work, from security team org structure and success measurement to key relationships across the company. We dig into the 2 different but critical aspects of security: 1) protecting the infrastructure (people & systems) and 2) policing the Yelp ecosystem itself (defending business operations).Zach explains how DevSecOps at Yelp was adopted not out of buzzword compliance but plain necessity: the need to safeguard 500+ microservices in production simply breaks a traditional security model. We explore some of the misconceptions with DevSecOps and the amount of care and feeding it takes to make it successful. We also cover Yelp’s tooling which centers on generous amounts of open source and their own projects including their current work on the Enhanced Berkeley Packet Filter (eBPF).We wrap up with some strong feelings about multi-cloud and readiness for the zombie apocalypse (they’re related, trust us) alongside forecasting the future for security tech as the cloud native tsunami rolls on. Spoiler: there’s no reprieve for old school network security.