Security Voices

Initially led by software as a service (SaaS), the transition to the public cloud is one of the most important changes we’ve witnessed in information technology to date. From the early days of SaaS to the current stage where adoption of infrastructure, platform and function as a service (IaaS, PaaS, FaaS) are catching on like wildfire, there’s an increasing awareness that the end state of this shift few aspects of how we do our jobs will be unchanged. This Security Voices episode is the first of five where we dig into the details of how the public cloud is transforming cybersecurity.Teri Radichel joins us to explain key concepts in public cloud technology, the differences from on-premises, migration options and more. If you’ve ever wondered what is meant by “lift and shift” or “cloud native”, this is for you. Teri’s background as a trainer, author and researcher shines through as she describes both broad concepts in easily understood terms but she also doesn’t spare the details for those who are already cloud savvy.Beyond the core concepts, Teri compares and contrasts the security models across Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP). As she walks us through the differences between the three platforms, you get a sense of the complexity faced by those straddling an on-premise environment as well as the public cloud – not to mention several clouds at once. From networking to identity and access management models, no cloud service provider is quite like the other. Moreover, the fierce competition between Google, Microsoft and Amazon is driving such rapid changes in their platforms that any grip you have on exactly how things are is a slippery one at best.In spite of the challenges, Teri explains her belief that one can achieve better security in the cloud than on-premises. Doing so requires thinking differently, however, such as Teri’s advice to handle data as we would handle money. We hope this episode lays the groundwork for you for understanding the current state of public cloud security as in the next show we dive into the trenches with a cloud security practitioner at Yelp.

If you’ve been laid off, furloughed or are just plain tired of everything, this episode is for you. Kathleen Smith, the longstanding cyber career expert at B-Sides (and beyond) joins us for a dialogue on what’s happening in the security job landscape. Lost your job? Kathleen explains a tried and true process for recovery, reflection and finding your next gig. Not to mention a few surprising options for those who aren’t afraid of a little adventure, such as the military reserves or a job in one of the often overlooked national laboratories.In a rare moment of good news this year, Kathleen explains how COVID-19 has driven an increase in cyber security jobs both in the government and commercial sectors in response to a recent increase in threat activity.  If you’re willing to put in the extra effort (and put down your cannabis), she also describes what it takes to score a government clearance and gain access to an entirely new pool of opportunities.Once a coveted perk, remote work has blown the job market wide open for all. Roles once restricted to those within a certain location are now broadly accessible. However, working far away from your colleagues in your house has serious implications for your social relationships, energy and health  that many are only beginning to understand. Kathleen breaks down how to recreate boundaries between one’s personal and professional life, a skill she learned the hard way during her time in non-profits such as the American Red Cross and World Wildlife Fund.Before wrapping up, Kathleen talks directly to leaders and how she has adapted her style in 2020 to meet the extraordinary challenge while avoiding burnout. We hope our hour plus conversation with Kathleen is a welcome break from whatever you’re facing right now, providing you with help in your current job or a fresh perspective on what to do next.

Discussing cryptography is usually a surefire way to end a dinner conversation. It combines two things that intimidate (and bore) many people: hard tech and complex math. In spite of this, cryptography is on center stage today as it is the very foundation of defending our privacy and perhaps unlocking how we can safely share health information in the midst of the pandemic. There are few people who both understand and can explain cryptography in plain English better than Dr. Zulfikar Ramzan, CTO of RSA.Our hour long conversation with Zully tackles how concepts such as zero knowledge proofs and multiparty computation might be applied during the current COVID-19 pandemic. Historically, sharing healthcare information has been an “all or nothing” affair with difficult privacy trade-offs being made in the name of ensuring we receive the right care at the right time. Zully takes us through how long standing encryption concepts, now made practical by advances in computing, may allow us to selectively share vital health information such as vaccination records or test results without sacrificing our personal privacy.Zully also explains how cryptographers are preparing for a world where quantum computers can make short work of our current encryption practices. He draws perspective from the mid-90s when the Advanced Encryption Standard (AES) was being developed and explains the road ahead for promising lattice-based methods that could form the basis of a new, post-quantum AES replacement.Beyond cryptography, we discuss Zully’s role as CTO at one of the most iconic brands in security. He takes us through “a day in the life” and explains his responsibilities beyond being the company’s spokesperson. Perhaps more importantly, Zully explains how he balances all of this with his family where making crispy cauliflower takes priority over factoring prime numbers.

The average tenure of a CISO is 26 months due to high stress and burnout, according to a recent survey. In stark contrast, Andy Ellis has now been CSO at industry titan Akamai for over 20 years. Jack & Dave explore Andy’s longevity formula in a 70 minute interview that spans everything from his advice to young security leaders to the death of live events and why it’s perfectly fine if your favorite wine is a $16 malbec. While most of our episodes gradually ease into a more focussed conversation, our discussion with Andy jumps straight into the subject of applied human cognition— a common theme of his presentations and writing. He explains how his understanding of human thought patterns and biases directly influences his approach to conducting risk assessments and dealing with especially thorny conflicts. Far from theoretical, Andy breaks down exactly how he and his team enable Akamai to self assess and internalize risk in a fashion that expedites projects where the security team might otherwise be a bottleneck.From his vantage point at Akamai surveying a sizable amount of the Internet’s traffic, Andy shares their insights from both observing and responding to the pandemic, starting with their move to a ZeroTrust model. Some aspects of COVID-19, such as customers’ struggling to pay bills and how to best help them, are similar to past crises. Others are utterly unique. Jack and Andy explain the crisis likely permanent impact on live events (e.g., industry conferences) and what they may evolve to in the future.We also discuss the fine line Andy, Jack and Dave walk in the cybersecurity community of being both a vendor and a practitioner. How does one remain objective when you also represent a company that has to sell products or services to exist? How can one neutralize the perceived bias or even the stronger allergic reaction that some have against vendors? While there’s no surefire solution to such a complex matter, each of us shares our tips and learnings as we (and the industry as a whole) aim to strike the right balance.We wrap up with Andy taking us through how to pick a good bottle of wine. In the same manner as he tackles complicated cybersecurity issues, Andy breaks it down into simple steps that he illustrates with his own colorful experience.

The misinformation spread during the COVID-19 pandemic has made what happened with the 2016 U.S. elections look like the “good old days.” Epidemiologists are on center stage trying to explain complex topics to billions of people concerned for their lives-- and sometimes politicians are aiming to do the same. The multiplier effect is how hopelessly entangled challenging technical issues like end to end encryption and contact tracing via bluetooth on mobile phones are now also being publicly debated.The most natural reaction? Confusion. Kenn White is here to help.During our 60 minute conversation with Kenn, Jack and Dave go past the headlines trumpeting Zoom’s security issues in an attempt to lay bare the real issues with their recent missteps.  Their initially misleading claims around end to end (E2E) encryption is our primary focus, but before diving deep into Zoom, Kenn explains exactly how hard it is to make it work by describing his 2 year journey to deliver E2E encryption at MongoDB. We pull apart the remaining concerns and Zoom’s impressive response to provide our take on just how worried you should be, from Johnson Elementary School to the defense industrial base.Kenn has a unique perspective on the idea to use contact tracing via Bluetooth to identify who infected people have been in proximity to in order to slow the spread of a disease.  Having spent 10+ years supporting clinical trials, he explains why using our mobile phones to make contact tracing during the COVID-19 pandemic is unlikely to be successful in the near future. We hope this conversation with Kenn brings you clarity and calm at a time when both are in short supply.​Note: We spend the first ~15 minutes talking about coping strategies during the pandemic. If you’d like to jump straight to the content focused on E2E encryption it begins right around the 15 minute mark.​About KennKenneth White is a security engineer whose work focuses on networks and global systems. He is co-founder and Director of the Open Crypto Audit Project and led formal security reviews on TrueCrypt and OpenSSL. He currently leads applied encryption engineering in MongoDB's global product group. He has directed R&D and security Ops in organizations ranging from startups to nonprofits to defense agencies to the Fortune 50. His work on applied signal analysis has been published in the Proceedings of the National Academy of Sciences. His work on network security and forensics has been cited by the Wall Street Journal, Reuters, Wired, and the BBC. He tweets about security, privacy, cryptography, and biscuits: @kennwhite.

In the midst of the COVID-19 pandemic, it’s easy for thoughts to stray to the apocalypse. Nowhere is this tendency more common than when we talk about robots. Decades of books, movies and television have explored the topic of “when robots attack” and the calamity that follows. Today, domestic robots struggle to make it up the stairs and Siri can’t reliably order take-out… or even take notes. It all feels very far-fetched. And it is. However, if we move past the science fiction and look more closely at developments between humans and robots, we can begin to see some startling developments. This is the domain of Straithe, a pioneering researcher who studies how interactions between humans and robots can be abused and manipulated. We know very well how email, phone calls and websites can be used as part of elaborate social engineering schemes, what happens when the attacker’s tool looks like a person and can physically interact with us? While domestic robots like the Jetson’s Rosie are not wheeling around our houses today, we are being implicitly trained to interact with digital assistants such as Amazon’s Alexa, Apple’s Siri and many others. While the privacy implications of having such assistants always listening is much discussed, we’re only beginning to understand how matters change when they take physical form such as Knightscope’s K5 or Softbank’s Pepper the Robot. Straithe explains how these robots not only create serious privacy concerns through passive collection and instant transmission of everything from license plates to MAC addresses, but also how people are likely to react for them if they are used for ill intent. She explains early research that indicates robots are effective at getting people to do things on their behalf. When you combine these factors with a spotty record of robot security vulnerabilities, the potential for genuine harm through robots goes from far-fetched to near future.Our ~60 minute conversation with Straithe is hopefully a break from whatever you’re dealing with during the current crisis. We hope you find this glimpse into a fascinating corner of cyber security research a diversion from whatever you’re dealing with presently and useful framing for what lies ahead.

In this episode we step far beyond the hype cycle and dive into the details of scaling a data science team in the security industry with Dr. Sven Krasser. Sven joined CrowdStrike in the early days and the initial part of the conversation with Dave is an incredibly timely conversation covering how to structure and work with remote teams effectively. The interview was recorded a week before the 2020 RSA Conference in San Francisco when the early impact of COVID19 in the U.S. was just starting to be felt.There are 2 dominant themes to our conversation. First, Sven covers the hard realities of machine learning (ML) and warns against both over dependence and hyperbole. There are many areas where a more simplistic approach is going to get the job done faster and cheaper without the need to maintain a costly ML model. Sven shares his approach to choosing the right tool for the job and a handy tip for determining where ML marketing has gone astray.The second theme is the attack surface of ML itself. Seemingly long gone are the days when companies boasted that ML was the coup de grace for the defenders in the endless game of cybersecurity 'cat and mouse'. Today, we know that there are tactics aplenty for both weakening and defeating ML-based defenses that are available to everyone and easier than ever. Our longstanding cat and mouse game isn't over, it's simply more complex than before. Our nearly 70 minute conversation with Sven serves as both a "102" exploration of applied ML in cybersecurity and a chat between friends.  We cover the less obvious advantages of being based in Los Angeles, the criticality of data quality to effective ML and exactly which marketing myths rankle data scientists the most.

The second half of our Day Jobs series is the very first Security Voices episode we recorded: Dave interviewing Jack on the origins, shenanigans and future of BSides. Jack charts the history of the conference from its inception at a rental house in Las Vegas with a couple hundred people to today where Security BSides is a global movement that has eclipsed 500 events (and growing).One of the most unique aspects of Security BSides is that anyone can create their own event. It is a nonprofit organization that has as its heart a single, potent principle: be good to and for your community. The flexibility of BSides to be molded to the needs of the local community wherever it goes, from Memphis to Riyadh, is a core ingredient of its success. Jack explains how they carefully walk the line of letting each organizer shape their own BSides conference while stepping in only as necessary to lend a helping hand or occasionally correct course when things have come off the rails. The “just enough” guidance approach extends all the way to allowing new events to change names completely and blossom into different conferences. Security BSides in Phoenix became CactusCon, an event in the Bay Area became Bay Threat and MiSec traces its roots back to a BSides in Michigan. All of these offshoots are not only encouraged but celebrated by Jack and the BSides crew who see this as yet another way of fitting the event to the personality of the local community.Security BSides often serves as the starting point of open dialogue on critical industry topics such as gender diversity and mental health that the larger conferences only address years later. Jack takes us through the first “Feathers will Fly” session in Las Vegas which served as a meaningful catalyst for future conversations on gender inequality and (the lack of) diversity in cyber security. We wrap up with Jack musing on the future of BSides and what it could become long past the year 2020.

Our February Security Voices episodes are a 2 part series where Jack and I focus on our “day jobs”, starting with the current episode on Open Raven. Part 2 will be the very first podcast we recorded, but never released where Dave interviews Jack on the origins and escapades of B-Sides. This is close as we intend to come to promoting anything explicitly on Security Voices and if you’re completely allergic to even the scent of such things, join us back in March where we’ll pick back up with an interview of the Chief Scientist at a high-profile security company. In the meantime, we thought you might appreciate a little background on what Jack and Dave do outside of Security Voices as it understandably colors our perspective, from the questions we ask to the stories we tell. Open Raven was officially founded in April of 2019 by Dave and Mark Curphey, whom some will recall was the focus of episode 5 of Security Voices. Rather than solely focus on the founders, something we feel happens entirely too much, we felt you might like to hear from the people building the product itself. Consequently, Dave emcees the episode as we interview the Open Raven team members on topics from the graph back-end to how the company is branded and thinks about UX. The content is at times a little technical but should still be approachable by most and it should give you a sense of the design decisions one makes in an early stage company.Throughout the episode you will hear the authentic voice of the team as they share the principles driving what Open Raven is building along with the pain and successes along the journey.

Could you create a fake cyber security company and rack up industry awards overnight? How about fabricating a founder and scoring them impressive job offers? Haroon Meer did both of these recently for a presentation titled “The Products We Deserve” as an exploration and commentary on the state of the industry. Jack, Dave & Haroon take on snake oil in security during an hour long conversation to determine exactly how someone could create a great company amidst the pressures that threaten to pull one in the wrong direction.The catalyst for Haroon’s presentation and our discussion is his personal experience at Thinkst where he has focused on building a “bottoms-up”, product first company that has grown steadily since its inception without venture capital. His thoughts, from how to deal with industry analysts to “ball pit marketing” at conferences, come from Thinkst’s direct experience aiming to not only grow the company, but grow it in a way that is true to their own values. How Haroon and Thinkst navigate challenges such as having a strong presence for the company at the RSA Conference (sans shenanigans) is an exercise in creative problem solving versus rejecting the experience entirely or simply following the crowd. While it would be easy for an episode such as this to be bleak or even angry, Haroon’s thoughtful approach and optimism give us a portrait of how we might emerge from our awkward adolescence as an industry into a better future.

Our 1st episode of 2020 is a story in three parts, beginning with hard fought wisdom of a veteran security practitioner, then diving deep into machine learning (ML) before wrapping up with how both security and AI apply to connected vehicles. The first part of our 74 minute conversation with Josh Lemos is the backstory of how he started his career in cybersecurity as a consultant... and left services to join ServiceNow as a practitioner. His time at ServiceNow lays out a solid formula for fixing application security inside a growth company who can little afford to slow down-- or suffer the pain of the inevitable breach if the situation doesn’t improve.​Jack & Dave’s conversation with Josh on ML lays down many of the basics and is intended to be a rough primer for future episodes where we will further explore the topic. We discuss how ML projects often take much more preparation than originally planned and topics that range from class imbalances, the differences between supervised/unsupervised ML, a starter’s toolkit and what to expect along with some rookie mistakes to avoid.As part of Cylance/Blackberry, Josh has recently been involved with connected vehicle projects where standard security techniques for detecting executable malware on laptops and servers can start to look like child’s play in comparison to effort required to properly diagnose events across the diverse hardware and software found in a modern car.  Before wrapping with our speed round, we look ahead at areas where ML may be able to make leaps forward in both vehicles and across cyber security.

While visions of sugar plums might be dancing in children’s heads as we close out 2019, the 2020 elections are occupying the head space of many adults in the U.S. In 2016, the importance of election security was made crystal clear. What’s happened since then? Are we ready for 2020? How do experts believe our defenses will hold up when tested by foreign and even domestic attacks?We spent an hour exploring election security (and more) with Camille Stewart, a cyber security attorney with experience working inside tech companies as well as considerable time spent on Capitol Hill in both the Department of Homeland Security and as a consultant. Camille breaks down the major aspects of election security and we discuss why it’s seemingly so fractured across municipalities-- and why that may not be such a bad thing after all.  Jack, Dave and Camille debate how election defenses might be improved, from the role of open source and private services to “defending forward” by taking out troll farms. While Camille declined to grade our readiness for the attacks in 2020 (which have already begun), Camille does make predictions about what will happen during the ‘20 elections, including the likelihood of domestic influence campaigns.Our ~75 minute conversation with Camille showcases the breadth of her experience in both the Silicon Valley and Washington D.C. She explains lessons learned from her time protecting brands at Cyveillance, breaking down the optimal way to get a social media company’s attention when you’d like to have something changed or removed. Camille also explains how State security might be modeled after progressive smaller countries who excel in cyber, leaning on her time working in foreign relations during the Obama Administration.  We wrap up with her recent investigation and resulting paper on how foreign nations, especially China, have been leveraging U.S. bankruptcy proceedings to acquire large amounts of American intellectual property on the cheap.

It all changed one day while Nand was sitting in traffic on the 101 freeway. Why am I doing this? Nand had experienced no less than 4 successful exits of cyber security companies where he was founder or CEO. He was one of the most accomplished cyber security entrepreneurs in the Silicon Valley. At that moment, Nand decided to leave corporate life and set course to start a new phase of his career in the government.His first step was to uproot his family and move them into graduate housing at Stanford where he would finally do that MBA degree he had considered long ago. Throughout Nand’s hour long interview with Jack and Dave, Nand explains how his family embraces the abrupt change from predictable Valley life and comforts to community living inside a small apartment on campus. While Nand is determining how to best complete projects with 19 year-olds, his wife Sarbani and children flourish, starting a non-profit as a result of their experience.Nand’s next step towards Washington D.C. is a one year stint across the country to the Harvard University John F. Kennedy School of Government where he aimed to learn “the art of politics”. His time spent amongst princes and fledgling politicians taught Nand important lessons in complexity, the power of good Queen ballad during karaoke and the occasional necessity of a Scorpion Bowl to wash it all down.After considering a run for Congress, Nand completes his plan to restart his career in government when by a series of unusual events (and a bit of start-up hustle) he becomes the CTO of the Department of Defense’s efforts in Artificial Intelligence. From his new vantage point, he shares what tech companies look like from the Washington D.C. perspective and answers heady questions such as “Who’s more trustworthy? A politician or a venture capitalist?” and we find out whether it’s easier to be in a government or a Valley boardroom.

The 2nd half of our conversation with Niloo focuses on her recent work in Washington DC where she holds several positions and recently (October 22nd, 2019) testified to Congress on the United State’s cyber security readiness. We begin with the topic of retaliation: What’s the proper response to a cyber attack if you want to discourage future aggression? Is cyber retaliation necessary to defend a country?With the 2020 elections on the horizon, Niloo explains her perspective on influence campaigns such as the highly publicized activities by Russia in the ’16 presidential elections. While often seen as election interference, she explains the broader goal of Russia’s strategy as an attack on the fabric of trust throughout a country— and how your phone and social networks can be complicit in this scheme.We end on a hopeful note: there are plenty of reasons to believe things will be better in the future in cyber security, starting with government restructuring from long outdated WW2 norms to a more modern organization design. And we learn why Niloo may not be your best choice as a new BFF on GoodReads.

There are stories, and then there are “epics”: tales of a journey so full of unexpected twists and excitement that you’re left wondering how all that could happen to a single person. Niloo Razi Howe’s life is such an epic. Whereas most epics feature men with swords, this one focuses on a woman with heels and a hockey stick.While Niloo’s story as an Iranian exile is well-documented, our primary focus is on her career which began as an author and quickly moved to becoming a McKinsey consultant and then attorney… until she founded one of the few modestly successful online pet supply businesses in the 90s. Moved by 9-11, Niloo found the cyber security market and made it her sole focus as an investor at Paladin Capital Group. We discuss her early learnings from investing in security which focus on her time working with a portfolio company selling the millimeter wave scanning systems that are now commonplace at airports everywhere. Niloo took subsequent roles transforming a startup and then tried her hand at transforming industry titan RSA as their Chief Strategy Officer. Niloo then left it all to focus on her terminally ill mother. This experience affected her profoundly and we wrap up this first part of our conversation with Niloo by exploring how she now structures her career on 3 pillars of different activities versus 1 job.